Bug 1733883
Summary: | Users able to create project even though self-provisioner clusterrole is removed from group system:authenticated:oauth | ||
---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | pk <pchoo> |
Component: | apiserver-auth | Assignee: | Standa Laznicka <slaznick> |
Status: | CLOSED NOTABUG | QA Contact: | Wei Sun <wsun> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 3.11.0 | CC: | aos-bugs, mfojtik, mmariyan |
Target Milestone: | --- | ||
Target Release: | 3.11.z | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2020-04-27 10:23:04 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
pk
2019-07-29 06:20:56 UTC
Hi, I've tested and checked. These are the steps to disable self-provisioning: 1. $ oc get clusterrolebindings | grep prov 2. $ oc patch clusterrolebinding.rbac self-provisioners -p '{"subjects": null}' 3. $ oc patch clusterrolebinding.rbac self-provisioner -p '{"subjects": null}' 4. $ oc get clusterrolebindings | grep prov (system:authenticated:oauth should not be there) 5. $ oc edit clusterrolebindings self-provisioner ( edit annotation "rbac.authorization.kubernetes.io/autoupdate": "false") 6. $ oc edit clusterrolebindings self-provisioners ( edit annotation "openshift.io/reconcile-protect: "true") 7. restart master services and the config stays. With reference to our documentation, https://docs.openshift.com/container-platform/3.11/admin_guide/managing_projects.html#disabling-self-provisioning annotation "openshift.io/reconcile-protect: "true" is not mentioned. May I check if the steps are correct? case was closed |