Bug 1784822

Summary: e2e failure: system:authenticated has extra permissions in namespace
Product: OpenShift Container Platform Reporter: W. Trevor King <wking>
Component: Service CatalogAssignee: Jesus M. Rodriguez <jesusr>
Status: CLOSED DUPLICATE QA Contact: Fan Jia <jfan>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 4.4CC: aos-bugs, mfojtik, scuppett
Target Milestone: ---   
Target Release: 4.4.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-12-18 13:56:57 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description W. Trevor King 2019-12-18 12:08:54 UTC
E.g. [1]:

fail [github.com/openshift/origin/test/extended/authorization/rbac/groups_default_rules.go:222]: Dec 18 11:37:31.634: system:authenticated has extra permissions in namespace "":
{APIGroups:["servicecatalog.k8s.io"], Resources:["clusterserviceclasses"], Verbs:["list" "watch" "get"]}
{APIGroups:["servicecatalog.k8s.io"], Resources:["clusterserviceplans"], Verbs:["list" "watch" "get"]}
{NonResourceURLs:["/healthz/ready"], Verbs:["get"]}

failed: (11.6s) 2019-12-18T11:37:31 "[Feature:OpenShiftAuthorization] The default cluster RBAC policy should have correct RBAC rules [Suite:openshift/conformance/parallel]"

Searching for the extra-permissions string [2], we have almost 200 in the past 24h, showing up in 13% of failed e2e jobs.  Seems to be specific to CI and 4.4.

[1]: https://prow.svc.ci.openshift.org/view/gcs/origin-ci-test/pr-logs/pull/openshift_installer/2821/pull-ci-openshift-installer-master-e2e-aws/9180
[2]: https://search.svc.ci.openshift.org/chart?search=fail.*system:authenticated%20has%20extra%20permissions%20in%20namespace&search=failed:.*The%20default%20cluster%20RBAC%20policy%20should%20have%20correct%20RBAC%20rules

Comment 1 W. Trevor King 2019-12-18 12:11:12 UTC
Actually, moving to the Service Catalog folks, since those look like their permissions leaking in.

Comment 2 W. Trevor King 2019-12-18 12:24:05 UTC
Here we are in a release informer [1].  And [2], which was for [3].  4.4 CI build before [3] passed, which might give a set of reversion candidates, but none of the linked pull requests are jumping out at me as obvious suspects.


[1]: https://prow.svc.ci.openshift.org/view/gcs/origin-ci-test/logs/release-openshift-origin-installer-e2e-gcp-4.4/369
[2]: https://prow.svc.ci.openshift.org/view/gcs/origin-ci-test/logs/release-openshift-origin-installer-e2e-gcp-4.4/365
[3]: https://openshift-release.svc.ci.openshift.org/releasestream/4.4.0-0.ci/release/4.4.0-0.ci-2019-12-18-041739

Comment 3 W. Trevor King 2019-12-18 13:47:46 UTC
Restricting the search to AWS PR presubmits, this shows up in 50% of our failures and we only have a 28% pass rate [1].  Raising to urgent.

[1]: https://search.svc.ci.openshift.org/chart?name=pull-ci.*e2e-aws$&search=system:authenticated%20has%20extra%20permissions%20in%20namespace

Comment 4 W. Trevor King 2019-12-18 13:56:57 UTC

*** This bug has been marked as a duplicate of bug 1784334 ***