Bug 1880202

Summary: GCP destroy leaves members in project IAM policy
Product: OpenShift Container Platform Reporter: OpenShift BugZilla Robot <openshift-bugzilla-robot>
Component: InstallerAssignee: Abhinav Dahiya <adahiya>
Installer sub component: openshift-installer QA Contact: To Hung Sze <tsze>
Status: CLOSED ERRATA Docs Contact:
Severity: urgent    
Priority: urgent CC: gpei, tsze, xiuwang
Version: 4.6   
Target Milestone: ---   
Target Release: 4.4.z   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-10-01 17:50:07 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1880134    
Bug Blocks:    

Description OpenShift BugZilla Robot 2020-09-17 22:52:41 UTC 
+++ This bug was initially created as a clone of Bug #1880134 +++

+++ This bug was initially created as a clone of Bug #1880132 +++

Description of problem:

GCP destroy leaves members in project IAM policy. This is because deleted service accounts end up converting the member in IAM policy to deleted:serviceAccount:{emailid}?uid={}

and the installer skips this member. I think there is a delay in service account deleted to the member getting modified and there fore the installer might clean up some of the ones that didn't get converted yet. This race definitely leaks in CI

How reproducible:

Steps to Reproduce:
1. Create cluster on GCP
2. Destroy the cluster
3. Check if all the member entries from project IAM policy has cleaned up.
Comment 2 To Hung Sze 2020-09-20 14:50:18 UTC 
Note that for shared xpn, IAM are also left in the host project. Discussed with dev.
https://bugzilla.redhat.com/show_bug.cgi?id=1872476
Comment 3 To Hung Sze 2020-09-21 14:02:56 UTC 
example of left behind IAM:
deleted:serviceAccount:tszegcp91820d-gf6pb-m.gserviceaccount.com?uid=112857808917372143622
Project
OpenShift QE
Comment 4 To Hung Sze 2020-09-22 02:01:35 UTC 
I don't see any IAM left behind today using 4.6.0-0.nightly-2020-09-21-081745
Comment 5 To Hung Sze 2020-09-22 02:05:53 UTC 
Wrong target version
Comment 9 To Hung Sze 2020-09-23 19:42:41 UTC 
Flexy job create / destroyed a 4.4.0-0.nightly-2020-09-20-175714 cluster.
No IAM left on gcp console.
Comment 11 errata-xmlrpc 2020-10-01 17:50:07 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.4.26 bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:3764