Bug 1629524

Summary: Should remove warning message for remove-cluster-role-from-user compared with add-cluster-role-to-user
Product: OpenShift Container Platform Reporter: XiaochuanWang <xiaocwan>
Component: apiserver-authAssignee: Standa Laznicka <slaznick>
Status: CLOSED ERRATA QA Contact: scheng
Severity: low Docs Contact:
Priority: medium    
Version: 3.11.0CC: agawand, akhaire, amdas, aos-bugs, igortiunov, nagrawal, pkanthal, rabdulra, rekhan, scheng, ssadhale, suchaudh
Target Milestone: ---   
Target Release: 4.6.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: When removing cluster role from user, all rolebindings containing the role were considered instead of those just containing the user. Consequence: When a rolebinding that wouldn't change contained the `rbac.authorization.kubernetes.io/autoupdate=false` annotation, a warning about changing a managed rolebiding was issued. Fix: Only perform the annotation check on rolebindings that are going to change. Result: No unnecessary warnings on `oc adm policy remove-cluster-role-from-user`.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-10-27 15:54:19 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description XiaochuanWang 2018-09-17 03:16:11 UTC 
Description of problem:
#oc adm policy remove-cluster-role-from-user cluster-admin xiaocwan
There are some warning info which should be removed. "Your changes may get lost whenever a master is restarted" should only apply to system clusterrolebinding changes. But my added clusterrolebinding for normal user xiaocwan is not changing system clusterrolebinding, thus it needs not prompt the warning.

Version-Release number of selected component (if applicable):
oc v3.11.6
kubernetes v1.11.0+d4cacc0

How reproducible:
always

Steps to Reproduce:
1. # oc adm policy add-cluster-role-to-user cluster-admin xiaocwan
cluster role "cluster-admin" added: "xiaocwan"

2. #oc adm policy remove-cluster-role-from-user cluster-admin xiaocwan
Warning: Your changes may get lost whenever a master is restarted, unless you prevent reconciliation of this rolebinding using the following command: oc annotate clusterrolebinding.rbac cluster-admin 'rbac.authorization.kubernetes.io/autoupdate=false' --overwriteWarning: Your changes may get lost whenever a master is restarted, unless you prevent reconciliation of this rolebinding using the following command: oc annotate clusterrolebinding.rbac cluster-admins 'rbac.authorization.kubernetes.io/autoupdate=false' --overwritecluster role "cluster-admin" removed: "xiaocwan"


Actual results:
2. The warning info should not display. Please also notice it is displayed twice without space in "--overwriteWarning"

Expected results:
2. Since add-cluster-role-to-user does not show warning info. remove-cluster-role-from-user should remove the info as well.

Additional info:
Comment 1 scheng 2018-09-17 07:21:09 UTC 
When a master is restarted,the default subjects which be removed will add back to {cluster}rolebindings,and it won't remove the subjects that you had added to {cluster}rolebindings before,so it doesn't need to add warning info when using add verb,thanks.
Comment 14 ITD27M01 2020-05-19 10:18:46 UTC 
Still present in 4.4
Comment 19 Amit Kumar Das 2020-10-19 06:57:20 UTC 
FYI, following warning message seen while adding remove-cluster-role-from-group policy in Version OpenShift dedicated:  4.4.16

========
 ❯ oc adm policy remove-cluster-role-from-group self-provisioner system:authenticated:oauth
 Warning: Your changes may get lost whenever a master is restarted, unless you prevent reconciliation of this rolebinding using the following command: oc annotate clusterrolebinding.rbac self-provisioners 'rbac.authorization.kubernetes.io/autoupdate=false' --overwrite

clusterrole.rbac.authorization.k8s.io/self-provisioner removed: "system:authenticated:oauth"

❯ oc annotate clusterrolebinding.rbac self-provisioners 'rbac.authorization.kubernetes.io/autoupdate=false' --overwrite
 Error from server (NotFound): clusterrolebindings.rbac.authorization.k8s.io "self-provisioners" not found
========


Currently, we have suggested customer to ignore warning message and changes applied wont rollback after master restarted. The fix will be included in oc 4.6 release.
Comment 21 errata-xmlrpc 2020-10-27 15:54:19 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4196