Bug 1629524
Summary: | Should remove warning message for remove-cluster-role-from-user compared with add-cluster-role-to-user | ||
---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | XiaochuanWang <xiaocwan> |
Component: | apiserver-auth | Assignee: | Standa Laznicka <slaznick> |
Status: | CLOSED ERRATA | QA Contact: | scheng |
Severity: | low | Docs Contact: | |
Priority: | medium | ||
Version: | 3.11.0 | CC: | agawand, akhaire, amdas, aos-bugs, igortiunov, nagrawal, pkanthal, rabdulra, rekhan, scheng, ssadhale, suchaudh |
Target Milestone: | --- | ||
Target Release: | 4.6.0 | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: |
Cause:
When removing cluster role from user, all rolebindings containing the role were considered instead of those just containing the user.
Consequence:
When a rolebinding that wouldn't change contained the `rbac.authorization.kubernetes.io/autoupdate=false` annotation, a warning about changing a managed rolebiding was issued.
Fix:
Only perform the annotation check on rolebindings that are going to change.
Result:
No unnecessary warnings on `oc adm policy remove-cluster-role-from-user`.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2020-10-27 15:54:19 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
XiaochuanWang
2018-09-17 03:16:11 UTC
When a master is restarted,the default subjects which be removed will add back to {cluster}rolebindings,and it won't remove the subjects that you had added to {cluster}rolebindings before,so it doesn't need to add warning info when using add verb,thanks. Still present in 4.4 FYI, following warning message seen while adding remove-cluster-role-from-group policy in Version OpenShift dedicated: 4.4.16 ======== ❯ oc adm policy remove-cluster-role-from-group self-provisioner system:authenticated:oauth Warning: Your changes may get lost whenever a master is restarted, unless you prevent reconciliation of this rolebinding using the following command: oc annotate clusterrolebinding.rbac self-provisioners 'rbac.authorization.kubernetes.io/autoupdate=false' --overwrite clusterrole.rbac.authorization.k8s.io/self-provisioner removed: "system:authenticated:oauth" ❯ oc annotate clusterrolebinding.rbac self-provisioners 'rbac.authorization.kubernetes.io/autoupdate=false' --overwrite Error from server (NotFound): clusterrolebindings.rbac.authorization.k8s.io "self-provisioners" not found ======== Currently, we have suggested customer to ignore warning message and changes applied wont rollback after master restarted. The fix will be included in oc 4.6 release. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:4196 |