Bug 1921911

Summary: Installer PR #4589 is causing leak of IAM role policy bindings
Product: OpenShift Container Platform Reporter: Patrick Dillon <padillon>
Component: InstallerAssignee: Patrick Dillon <padillon>
Installer sub component: openshift-installer QA Contact: To Hung Sze <tsze>
Status: CLOSED ERRATA Docs Contact:
Severity: urgent    
Priority: unspecified    
Version: 4.8   
Target Milestone: ---   
Target Release: 4.7.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-02-24 15:57:12 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Patrick Dillon 2021-01-28 20:22:03 UTC
Error setting IAM policy for project "openshift-gce-devel-ci": googleapi: Error 400: The number of members in the policy (1,501) is larger than the maximum allowed size 1,500., badRequest

caused by https://github.com/openshift/installer/pull/4589/files

There is a PR open to revert.

The above code is only looking at email addresses so is missing some service accounts where the email addresses do not begin with infra id. We can detect those via the names, which do start with infra id. Will follow up with subsequent PR.

Comment 2 To Hung Sze 2021-02-01 23:41:59 UTC
Closing as this is to revert a previous change.

Comment 5 errata-xmlrpc 2021-02-24 15:57:12 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.7.0 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:5633