Bug 1723851

Summary: Operators requesting cluster-scoped permission can trigger kube GC bug
Product: OpenShift Container Platform Reporter: Evan Cordell <ecordell>
Component: OLMAssignee: Evan Cordell <ecordell>
OLM sub component: OLM QA Contact: Jian Zhang <jiazha>
Status: CLOSED ERRATA Docs Contact:
Severity: high    
Priority: high CC: bandrade, chuo, eparis, jfan, scolange, sponnaga
Version: 4.1.0   
Target Milestone: ---   
Target Release: 4.1.z   
Hardware: All   
OS: All   
Whiteboard: 4.1.5
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-08-28 19:54:45 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Comment 7 Jian Zhang 2019-08-20 06:18:27 UTC
LGTM, steps as below:
Cluster version is 4.1.0-0.nightly-2019-08-19-173358
OLM version:                
io.openshift.build.commit.url=https://github.com/operator-framework/operator-lifecycle-manager/commit/e782ca5034ae1fc706145ffd4634ebdffb58b2ba
io.openshift.build.source-location=https://github.com/operator-framework/operator-lifecycle-manager

1) Install an operator which contains `clusterPermissions` field. For example, AMQ-Stream.

mac:~ jianzhang$ oc get sub -n openshift-operators
NAME          PACKAGE       SOURCE                                 CHANNEL
amq-streams   amq-streams   installed-redhat-openshift-operators   stable
mac:~ jianzhang$ oc get csv -n openshift-operators
NAME                DISPLAY       VERSION   REPLACES            PHASE
amqstreams.v1.2.0   AMQ Streams   1.2.0     amqstreams.v1.1.0   Succeeded

2) Check its `Clucsterrole/CClusterrolebinding` objects if contains the `OwnerReferences` field.
mac:~ jianzhang$ oc get clusterrole amqstreams.v1.2.0-65zzh -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  creationTimestamp: "2019-08-20T06:09:06Z"
  labels:
    olm.owner: amqstreams.v1.2.0
    olm.owner.kind: ClusterServiceVersion
    olm.owner.namespace: openshift-operators
  name: amqstreams.v1.2.0-65zzh
  resourceVersion: "60969"
  selfLink: /apis/rbac.authorization.k8s.io/v1/clusterroles/amqstreams.v1.2.0-65zzh
  uid: 04665d3a-c311-11e9-9ac3-02244971cb6e
rules:
...

mac:~ jianzhang$ oc get clusterrolebinding amqstreams.v1.2.0-65zzh-strimzi-cluster-operator-95n7h -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  creationTimestamp: "2019-08-20T06:09:06Z"
  labels:
    olm.owner: amqstreams.v1.2.0
    olm.owner.kind: ClusterServiceVersion
    olm.owner.namespace: openshift-operators
  name: amqstreams.v1.2.0-65zzh-strimzi-cluster-operator-95n7h
  resourceVersion: "60972"
  selfLink: /apis/rbac.authorization.k8s.io/v1/clusterrolebindings/amqstreams.v1.2.0-65zzh-strimzi-cluster-operator-95n7h
  uid: 04695dae-c311-11e9-9ac3-02244971cb6e
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: amqstreams.v1.2.0-65zzh
subjects:
- kind: ServiceAccount
  name: strimzi-cluster-operator
  namespace: openshift-operators

No `OwnerReferences` field anymore, LGTM, verify it.

Comment 9 errata-xmlrpc 2019-08-28 19:54:45 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2547