Bug 1733883

Summary: Users able to create project even though self-provisioner clusterrole is removed from group system:authenticated:oauth
Product: OpenShift Container Platform Reporter: pk <pchoo>
Component: apiserver-authAssignee: Standa Laznicka <slaznick>
Status: CLOSED NOTABUG QA Contact: Wei Sun <wsun>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 3.11.0CC: aos-bugs, mfojtik, mmariyan
Target Milestone: ---   
Target Release: 3.11.z   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-04-27 10:23:04 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description pk 2019-07-29 06:20:56 UTC 
Description of problem:
$ oc adm policy remove-cluster-role-from-group self-provisioner system:authenticated:oauth

Users became unable to create projects, which is expected.

However we did a master-restart api api

Users are able to create project.

Version-Release number of selected component (if applicable):
v3.11.104
Kubernetes v1.110+d4cacc0

How reproducible:
Everytime. After masters restart, users are able to create project with CLI as well as from GUI. $ oc describe clusterrolebinding.rbac self-provisioner is showing the correct annotations: rbac.authorization.kubernetes.io/autoupdate=false and empty subjects. 

Steps to Reproduce:
1. remove clusterrole from group
2. annotate clusterrole
3. users unable to create project
4. restart master api
5. users are able to create project

Actual results:
users are able to create project after restart of master api

Expected results:
users should still be unable to create project after restart of master api

Additional info:
after removing clusterrole, we did a $oc adm create-bootstrap-policy-file --filename=policy.json. The clusterrolebinding is not updated in policy.json even though $oc describe clusterrolebinding.rbac is showing correct configuration.

I did a oc get clusterrolebindings | grep provisioner and there are 2 system groups, the self-provisioner and self-provisoners. I have removed subject from both but the annotations (rbac.authorization.kubernetes.io/autoupdate=false) is not taken. 

For self-provisioner, i used rbac.authorization.kubernetes.io/autoupdate=false and restarting master does not forbid users create project.

For self-provisioners, rbac.authorization.kubernetes.io/autoupdate=false does not stay after restart but updating openshift.io/reconcile-protect: false lets the change takes effect and users are not able to create new project.

Please verify the confusion for both clusterroles and the correct annotations to be added.
Comment 2 pk 2019-07-30 02:34:42 UTC 
Hi,

I've tested and checked. These are the steps to disable self-provisioning:

1. $ oc get clusterrolebindings | grep prov
2. $ oc patch clusterrolebinding.rbac self-provisioners -p '{"subjects": null}'
3. $ oc patch clusterrolebinding.rbac self-provisioner -p '{"subjects": null}'
4. $ oc get clusterrolebindings | grep prov (system:authenticated:oauth should not be there)
5. $ oc edit clusterrolebindings self-provisioner ( edit annotation "rbac.authorization.kubernetes.io/autoupdate": "false")
6. $ oc edit clusterrolebindings self-provisioners ( edit annotation "openshift.io/reconcile-protect: "true")
7. restart master services and the config stays.

With reference to our documentation, https://docs.openshift.com/container-platform/3.11/admin_guide/managing_projects.html#disabling-self-provisioning

annotation "openshift.io/reconcile-protect: "true" is not mentioned. May I check if the steps are correct?
Comment 4 Standa Laznicka 2020-04-27 10:23:04 UTC 
case was closed