Bug 1965050
Summary: | RoleBinding and ClusterRoleBinding brought in by kubevirt does not get reconciled when kind is ServiceAccount | |||
---|---|---|---|---|
Product: | Container Native Virtualization (CNV) | Reporter: | Kedar Bidarkar <kbidarka> | |
Component: | Virtualization | Assignee: | Itamar Holder <iholder> | |
Status: | CLOSED ERRATA | QA Contact: | Kedar Bidarkar <kbidarka> | |
Severity: | high | Docs Contact: | ||
Priority: | high | |||
Version: | 4.8.0 | CC: | cnv-qe-bugs, fdeutsch, iholder, sgott | |
Target Milestone: | --- | Flags: | aschuett:
needinfo-
|
|
Target Release: | 4.9.0 | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | virt-operator-container-v4.9.0-25 hco-bundle-registry-container-v4.9.0-89 | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 2000251 (view as bug list) | Environment: | ||
Last Closed: | 2021-11-02 15:58:50 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 2000251 |
Description
Kedar Bidarkar
2021-05-26 16:41:08 UTC
Ashley, I know each resource type has specific rules. Is the description of this BZ expected behavior? Hey everyone, We currently indeed reconcile only subject with "User" kind. This was done intentionally since that's what was done in OpenShift and we were trying to be safe. According to Kubernetes documentation [1] there are 3 subject Kinds: users, groups, and service accounts. I see that we use all three of them and therefore will issue a PR to reconcile all RoleBinding / ClusterRoleBinding unconditionally. (In reply to Itamar Holder from comment #2) > Hey everyone, > > We currently indeed reconcile only subject with "User" kind. > This was done intentionally since that's what was done in OpenShift and we > were trying to be safe. > > According to Kubernetes documentation [1] there are 3 subject Kinds: users, > groups, and service accounts. I see that we use all three of them and > therefore will issue a PR to reconcile all RoleBinding / ClusterRoleBinding > unconditionally. Forgot to add link to documentation. [1] https://kubernetes.io/docs/reference/access-authn-authz/rbac/ This was deferred to future due to the fact that it takes cluster admin privileges to manipulate this field, which somewhat limits the severity of the impact. Moving this BZ back to "NEW" state. The associated PR was closed. I believe this is a mistake that the associated PR was never updated to the correct one. I think this PR https://github.com/kubevirt/kubevirt/pull/5813 was merged to fix this bug and we can move this to modified. @iholder can you confirm? Yes, @aschuett is absolutely right. Thanks for clarifying! So this needs to be moved to POST again? Moving the BZ to MODIFIED as the associated PR is merged. VERIFIED with virt-operator: container-native-virtualization/virt-operator/images/v4.9.0-27 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Virtualization 4.9.0 Images security and bug fix update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:4104 |