Bug 1806785
| Summary: | There are duplicate policy verbs in several cluster roles | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Liang Xia <lxia> |
| Component: | oc | Assignee: | Sally <somalley> |
| Status: | CLOSED ERRATA | QA Contact: | RamaKasturi <knarra> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 4.4 | CC: | aos-bugs, dsover, ecordell, jokerman, knarra, maszulik, mfojtik, slaznick |
| Target Milestone: | --- | Flags: | lxia:
needinfo-
|
| Target Release: | 4.6.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | No Doc Update | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-10-27 15:55:31 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
the crd seems to belong to openshift-marketplace, moving to OLM who own the resource and its RBAC This bug hasn't had any activity in the last 30 days. Maybe the problem got resolved, was a duplicate of something else, or became less pressing for some reason - or maybe it's still relevant but just hasn't been looked at yet. As such, we're marking this bug as "LifecycleStale" and decreasing severity from "medium" to "low". If you have further information on the current state of the bug, please update it, otherwise this bug will be automatically closed in 7 days. The information can be, for example, that the problem still occurs, that you still want the feature, that more information is needed, or that the bug is (for whatever reason) no longer relevant. $ oc version
Client Version: 4.4.0-202005111349-2576e48
Server Version: 4.4.3
Kubernetes Version: v1.17.1
$ oc describe clusterrole.rbac view
Name: view
Labels: kubernetes.io/bootstrapping=rbac-defaults
rbac.authorization.k8s.io/aggregate-to-edit=true
Annotations: rbac.authorization.kubernetes.io/autoupdate: true
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
namespaces [] [] [get get list watch]
packagemanifests.packages.operators.coreos.com [] [] [get list watch get list watch]
This will be fixed upstream, so I'm moving this to 4.6. upstream PR here: https://github.com/kubernetes/kubernetes/pull/91264 This bug is actively being worked on. Waiting on upstream review/merge. I’m adding UpcomingSprint, because the work on this bug is done and approved but it is waiting for upstream CI to accept changes. I’m adding UpcomingSprint, because the work on this bug is done upstream and should be pulled in with the latest kube bump happening now. Please verify this is fixed in latest oc. Thanks. Verified in the payload below and i do not see any duplicate verbs being listed, based on that moving the bug to verified state.
[ramakasturinarra@dhcp35-60 cucushift]$ oc version -o yaml
clientVersion:
buildDate: "2020-08-21T02:37:08Z"
compiler: gc
gitCommit: ea0d54068621ec0f95973068729f739f3dacfef7
gitTreeState: clean
gitVersion: 4.6.0-202008210209.p0-ea0d540
goVersion: go1.14.4
major: ""
minor: ""
platform: linux/amd64
openshiftVersion: 4.6.0-0.nightly-2020-08-21-011653
serverVersion:
buildDate: "2020-08-20T16:46:57Z"
compiler: gc
gitCommit: 3e083ac29409923906267ebcc5f8e0aa13072c72
gitTreeState: dirty
gitVersion: v1.19.0-rc.2+3e083ac-dirty
goVersion: go1.14.4
major: "1"
minor: 19+
platform: linux/amd64
[ramakasturinarra@dhcp35-60 cucushift]$ oc describe clusterrole.rbac view
Name: view
Labels: kubernetes.io/bootstrapping=rbac-defaults
rbac.authorization.k8s.io/aggregate-to-edit=true
Annotations: rbac.authorization.kubernetes.io/autoupdate: true
PolicyRule:
Resources Non-Resource URLs Resource Names Verbs
--------- ----------------- -------------- -----
appliedclusterresourcequotas [] [] [get list watch]
bindings [] [] [get list watch]
buildconfigs/webhooks [] [] [get list watch]
buildconfigs [] [] [get list watch]
buildlogs [] [] [get list watch]
builds/log [] [] [get list watch]
builds [] [] [get list watch]
configmaps [] [] [get list watch]
deploymentconfigs/log [] [] [get list watch]
deploymentconfigs/scale [] [] [get list watch]
deploymentconfigs/status [] [] [get list watch]
deploymentconfigs [] [] [get list watch]
endpoints [] [] [get list watch]
events [] [] [get list watch]
imagestreamimages [] [] [get list watch]
imagestreammappings [] [] [get list watch]
imagestreams/status [] [] [get list watch]
imagestreams [] [] [get list watch]
imagestreamtags [] [] [get list watch]
imagetags [] [] [get list watch]
limitranges [] [] [get list watch]
namespaces/status [] [] [get list watch]
namespaces [] [] [get list watch]
persistentvolumeclaims/status [] [] [get list watch]
persistentvolumeclaims [] [] [get list watch]
pods/log [] [] [get list watch]
pods/status [] [] [get list watch]
pods [] [] [get list watch]
processedtemplates [] [] [get list watch]
replicationcontrollers/scale [] [] [get list watch]
replicationcontrollers/status [] [] [get list watch]
replicationcontrollers [] [] [get list watch]
resourcequotas/status [] [] [get list watch]
resourcequotas [] [] [get list watch]
resourcequotausages [] [] [get list watch]
routes/status [] [] [get list watch]
routes [] [] [get list watch]
serviceaccounts [] [] [get list watch]
services/status [] [] [get list watch]
services [] [] [get list watch]
templateconfigs [] [] [get list watch]
templateinstances [] [] [get list watch]
templates [] [] [get list watch]
deploymentconfigs.apps.openshift.io/log [] [] [get list watch]
deploymentconfigs.apps.openshift.io/scale [] [] [get list watch]
deploymentconfigs.apps.openshift.io/status [] [] [get list watch]
deploymentconfigs.apps.openshift.io [] [] [get list watch]
controllerrevisions.apps [] [] [get list watch]
daemonsets.apps/status [] [] [get list watch]
daemonsets.apps [] [] [get list watch]
deployments.apps/scale [] [] [get list watch]
deployments.apps/status [] [] [get list watch]
deployments.apps [] [] [get list watch]
replicasets.apps/scale [] [] [get list watch]
replicasets.apps/status [] [] [get list watch]
replicasets.apps [] [] [get list watch]
statefulsets.apps/scale [] [] [get list watch]
statefulsets.apps/status [] [] [get list watch]
statefulsets.apps [] [] [get list watch]
horizontalpodautoscalers.autoscaling/status [] [] [get list watch]
horizontalpodautoscalers.autoscaling [] [] [get list watch]
cronjobs.batch/status [] [] [get list watch]
cronjobs.batch [] [] [get list watch]
jobs.batch/status [] [] [get list watch]
jobs.batch [] [] [get list watch]
buildconfigs.build.openshift.io/webhooks [] [] [get list watch]
buildconfigs.build.openshift.io [] [] [get list watch]
buildlogs.build.openshift.io [] [] [get list watch]
builds.build.openshift.io/log [] [] [get list watch]
builds.build.openshift.io [] [] [get list watch]
daemonsets.extensions/status [] [] [get list watch]
daemonsets.extensions [] [] [get list watch]
deployments.extensions/scale [] [] [get list watch]
deployments.extensions/status [] [] [get list watch]
deployments.extensions [] [] [get list watch]
ingresses.extensions/status [] [] [get list watch]
ingresses.extensions [] [] [get list watch]
networkpolicies.extensions [] [] [get list watch]
replicasets.extensions/scale [] [] [get list watch]
replicasets.extensions/status [] [] [get list watch]
replicasets.extensions [] [] [get list watch]
replicationcontrollers.extensions/scale [] [] [get list watch]
imagestreamimages.image.openshift.io [] [] [get list watch]
imagestreammappings.image.openshift.io [] [] [get list watch]
imagestreams.image.openshift.io/status [] [] [get list watch]
imagestreams.image.openshift.io [] [] [get list watch]
imagestreamtags.image.openshift.io [] [] [get list watch]
imagetags.image.openshift.io [] [] [get list watch]
nodes.metrics.k8s.io [] [] [get list watch]
pods.metrics.k8s.io [] [] [get list watch]
ingresses.networking.k8s.io/status [] [] [get list watch]
ingresses.networking.k8s.io [] [] [get list watch]
networkpolicies.networking.k8s.io [] [] [get list watch]
catalogsources.operators.coreos.com [] [] [get list watch]
clusterserviceversions.operators.coreos.com [] [] [get list watch]
installplans.operators.coreos.com [] [] [get list watch]
operatorgroups.operators.coreos.com [] [] [get list watch]
subscriptions.operators.coreos.com [] [] [get list watch]
packagemanifests.packages.operators.coreos.com/icon [] [] [get list watch]
packagemanifests.packages.operators.coreos.com [] [] [get list watch]
poddisruptionbudgets.policy/status [] [] [get list watch]
poddisruptionbudgets.policy [] [] [get list watch]
appliedclusterresourcequotas.quota.openshift.io [] [] [get list watch]
routes.route.openshift.io/status [] [] [get list watch]
routes.route.openshift.io [] [] [get list watch]
volumesnapshots.snapshot.storage.k8s.io [] [] [get list watch]
processedtemplates.template.openshift.io [] [] [get list watch]
templateconfigs.template.openshift.io [] [] [get list watch]
templateinstances.template.openshift.io [] [] [get list watch]
templates.template.openshift.io [] [] [get list watch]
imagestreams/layers [] [] [get]
projects [] [] [get]
imagestreams.image.openshift.io/layers [] [] [get]
projects.project.openshift.io [] [] [get]
jenkins.build.openshift.io [] [] [view]
From the above do not see any duplicate verb.
Moving the bug to verified based on comment 14 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:4196 |
Description of problem: Check clusterrole.rbac via "oc describe clusterrole.rbac", several cluster role contains duplicate policy verbs. Version-Release number of selected component (if applicable): 4.4.0-0.nightly-2020-02-23-191320 How reproducible: Always Steps to Reproduce: 1. Check clusterrole.rbac via admin $ oc describe clusterrole.rbac Or for a shorter output, $ oc describe clusterrole.rbac view Actual results: $ oc describe clusterrole.rbac view Name: view Labels: kubernetes.io/bootstrapping=rbac-defaults rbac.authorization.k8s.io/aggregate-to-edit=true Annotations: rbac.authorization.kubernetes.io/autoupdate: true PolicyRule: Resources Non-Resource URLs Resource Names Verbs --------- ----------------- -------------- ----- namespaces [] [] [get get list watch] packagemanifests.packages.operators.coreos.com [] [] [get list watch get list watch] appliedclusterresourcequotas [] [] [get list watch] bindings [] [] [get list watch] buildconfigs/webhooks [] [] [get list watch] buildconfigs [] [] [get list watch] buildlogs [] [] [get list watch] Expected results: No duplicate verbs. Additional info: