Bug 1784822
| Summary: | e2e failure: system:authenticated has extra permissions in namespace | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | W. Trevor King <wking> |
| Component: | Service Catalog | Assignee: | Jesus M. Rodriguez <jesusr> |
| Status: | CLOSED DUPLICATE | QA Contact: | Fan Jia <jfan> |
| Severity: | urgent | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 4.4 | CC: | aos-bugs, mfojtik, scuppett |
| Target Milestone: | --- | ||
| Target Release: | 4.4.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-12-18 13:56:57 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Actually, moving to the Service Catalog folks, since those look like their permissions leaking in. Here we are in a release informer [1]. And [2], which was for [3]. 4.4 CI build before [3] passed, which might give a set of reversion candidates, but none of the linked pull requests are jumping out at me as obvious suspects. [1]: https://prow.svc.ci.openshift.org/view/gcs/origin-ci-test/logs/release-openshift-origin-installer-e2e-gcp-4.4/369 [2]: https://prow.svc.ci.openshift.org/view/gcs/origin-ci-test/logs/release-openshift-origin-installer-e2e-gcp-4.4/365 [3]: https://openshift-release.svc.ci.openshift.org/releasestream/4.4.0-0.ci/release/4.4.0-0.ci-2019-12-18-041739 Restricting the search to AWS PR presubmits, this shows up in 50% of our failures and we only have a 28% pass rate [1]. Raising to urgent. [1]: https://search.svc.ci.openshift.org/chart?name=pull-ci.*e2e-aws$&search=system:authenticated%20has%20extra%20permissions%20in%20namespace *** This bug has been marked as a duplicate of bug 1784334 *** |
E.g. [1]: fail [github.com/openshift/origin/test/extended/authorization/rbac/groups_default_rules.go:222]: Dec 18 11:37:31.634: system:authenticated has extra permissions in namespace "": {APIGroups:["servicecatalog.k8s.io"], Resources:["clusterserviceclasses"], Verbs:["list" "watch" "get"]} {APIGroups:["servicecatalog.k8s.io"], Resources:["clusterserviceplans"], Verbs:["list" "watch" "get"]} {NonResourceURLs:["/healthz/ready"], Verbs:["get"]} failed: (11.6s) 2019-12-18T11:37:31 "[Feature:OpenShiftAuthorization] The default cluster RBAC policy should have correct RBAC rules [Suite:openshift/conformance/parallel]" Searching for the extra-permissions string [2], we have almost 200 in the past 24h, showing up in 13% of failed e2e jobs. Seems to be specific to CI and 4.4. [1]: https://prow.svc.ci.openshift.org/view/gcs/origin-ci-test/pr-logs/pull/openshift_installer/2821/pull-ci-openshift-installer-master-e2e-aws/9180 [2]: https://search.svc.ci.openshift.org/chart?search=fail.*system:authenticated%20has%20extra%20permissions%20in%20namespace&search=failed:.*The%20default%20cluster%20RBAC%20policy%20should%20have%20correct%20RBAC%20rules