Bug 1929351

Summary: hostpath-provisioner does not reconcile clusterrole/binding via kubectl
Product: Container Native Virtualization (CNV) Reporter: Alex Kalenyuk <akalenyu>
Component: StorageAssignee: Alex Kalenyuk <akalenyu>
Status: CLOSED ERRATA QA Contact: Alex Kalenyuk <akalenyu>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 2.6.0CC: alitke, cnv-qe-bugs, mrashish, ngavrilo, yadu
Target Milestone: ---   
Target Release: 4.8.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: hostpath-provisioner-rhel8-operator v4.8.0-8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-07-27 14:27:59 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Alex Kalenyuk 2021-02-16 17:44:12 UTC 
Description of problem:
When editing clusterrole/binding created by the HPP operator via kubectl, it does not reconcile them back to the opinionated values

Version-Release number of selected component (if applicable):
HPP release 0.7.1

How reproducible:
100%

Steps to Reproduce:
1. Patch .rules list on clusterrole / .subjects on clusterrolebinding

Actual results:
rules list stays empty

Expected results:
rules list repopulated shortly after

Additional info:
[root@dell-r740xd-004 hostpath-provisioner]# ./cluster-up/kubectl.sh get clusterrole hostpath-provisioner -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    hostpathprovisioner.kubevirt.io/lastAppliedConfiguration: '{"metadata":{"name":"hostpath-provisioner","creationTimestamp":null,"labels":{"k8s-app":"hostpath-provisioner"}},"rules":[{"verbs":["get","list","watch","create","delete"],"apiGroups":[""],"resources":["persistentvolumes"]},{"verbs":["get","list","watch","update"],"apiGroups":[""],"resources":["persistentvolumeclaims"]},{"verbs":["get","list","watch"],"apiGroups":["storage.k8s.io"],"resources":["storageclasses"]},{"verbs":["list","watch","create","patch","update"],"apiGroups":[""],"resources":["events"]},{"verbs":["get"],"apiGroups":[""],"resources":["nodes"]}]}'
  creationTimestamp: "2021-02-16T16:31:10Z"
  labels:
    k8s-app: hostpath-provisioner
  managedFields:
  - apiVersion: rbac.authorization.k8s.io/v1
    fieldsType: FieldsV1
    fieldsV1:
      f:metadata:
        f:annotations:
          .: {}
          f:hostpathprovisioner.kubevirt.io/lastAppliedConfiguration: {}
        f:labels:
          .: {}
          f:k8s-app: {}
      f:rules: {}
    manager: hostpath-provisioner-operator
    operation: Update
    time: "2021-02-16T16:31:10Z"
  name: hostpath-provisioner
  resourceVersion: "1345"
  selfLink: /apis/rbac.authorization.k8s.io/v1/clusterroles/hostpath-provisioner
  uid: ddf7951a-4a95-4651-b8fc-37201216a3cb
rules:
- apiGroups:
  - ""
  resources:
  - persistentvolumes
  verbs:
  - get
  - list
  - watch
  - create
  - delete
- apiGroups:
  - ""
  resources:
  - persistentvolumeclaims
  verbs:
  - get
  - list
  - watch
  - update
- apiGroups:
  - storage.k8s.io
  resources:
  - storageclasses
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - events
  verbs:
  - list
  - watch
  - create
  - patch
  - update
- apiGroups:
  - ""
  resources:
  - nodes
  verbs:
  - get
[root@dell-r740xd-004 hostpath-provisioner]# ./cluster-up/kubectl.sh patch clusterrole hostpath-provisioner -p '{"rules":[]}'
clusterrole.rbac.authorization.k8s.io/hostpath-provisioner patched
[root@dell-r740xd-004 hostpath-provisioner]# ./cluster-up/kubectl.sh get clusterrole hostpath-provisioner -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    hostpathprovisioner.kubevirt.io/lastAppliedConfiguration: '{"metadata":{"name":"hostpath-provisioner","creationTimestamp":null,"labels":{"k8s-app":"hostpath-provisioner"}},"rules":[{"verbs":["get","list","watch","create","delete"],"apiGroups":[""],"resources":["persistentvolumes"]},{"verbs":["get","list","watch","update"],"apiGroups":[""],"resources":["persistentvolumeclaims"]},{"verbs":["get","list","watch"],"apiGroups":["storage.k8s.io"],"resources":["storageclasses"]},{"verbs":["list","watch","create","patch","update"],"apiGroups":[""],"resources":["events"]},{"verbs":["get"],"apiGroups":[""],"resources":["nodes"]}]}'
  creationTimestamp: "2021-02-16T16:31:10Z"
  labels:
    k8s-app: hostpath-provisioner
  managedFields:
  - apiVersion: rbac.authorization.k8s.io/v1
    fieldsType: FieldsV1
    fieldsV1:
      f:metadata:
        f:annotations:
          .: {}
          f:hostpathprovisioner.kubevirt.io/lastAppliedConfiguration: {}
        f:labels:
          .: {}
          f:k8s-app: {}
    manager: hostpath-provisioner-operator
    operation: Update
    time: "2021-02-16T16:31:10Z"
  - apiVersion: rbac.authorization.k8s.io/v1
    fieldsType: FieldsV1
    fieldsV1:
      f:rules: {}
    manager: .kubectl
    operation: Update
    time: "2021-02-16T16:32:25Z"
  name: hostpath-provisioner
  resourceVersion: "1538"
  selfLink: /apis/rbac.authorization.k8s.io/v1/clusterroles/hostpath-provisioner
  uid: ddf7951a-4a95-4651-b8fc-37201216a3cb
rules: null

Note:
Making any edit on the DaemonSet (which does get reconciled correctly) will trigger the reconciliation for the clusterrole/binding as well.
Comment 2 Maya Rashish 2021-03-14 15:42:00 UTC 
I am changing it to ON_QA with the assumption that the merged PR is a fix for the bug, let me know if that's wrong.
Comment 8 errata-xmlrpc 2021-07-27 14:27:59 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Virtualization 4.8.0 Images), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:2920