Bug 1580538
Summary: | Unable to disallow project creation from system:authentcated users after upgrade to 3.9 | ||
---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | emahoney |
Component: | apiserver-auth | Assignee: | Simo Sorce <ssorce> |
Status: | CLOSED ERRATA | QA Contact: | Chuan Yu <chuyu> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 3.9.0 | CC: | aos-bugs, emahoney, jialiu, jokerman, mkhan, mmccomas, xtian |
Target Milestone: | --- | ||
Target Release: | 3.9.z | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | No Doc Update | |
Doc Text: |
undefined
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2018-06-27 18:02:09 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
emahoney
2018-05-21 17:51:39 UTC
The correct way to do this in 3.7+ is to not rely on the oc policy commands. Instead do as follows. Save the following data as fix.yaml: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: annotations: rbac.authorization.kubernetes.io/autoupdate: "false" name: self-provisioners roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: self-provisioner Then do a "oc create -f fix.yaml" Opened https://github.com/openshift/origin/pull/19846 as a way to address use cases like these. Verified. When clusterrolebinding self-provisioners "openshift.io/reconcile-protect=true", the rolebinding will not be reconciled when master service restartd. # openshift version openshift v3.9.31 kubernetes v1.9.1+a0ce1bc657 etcd 3.2.16 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2018:2013 The needinfo request[s] on this closed bug have been removed as they have been unresolved for 500 days |