Bug 1984904

Summary: roleRef.kind for monitoring-alertmanager-edit RoleBinding is wrong
Product: OpenShift Container Platform Reporter: Junqi Zhao <juzhao>
Component: ocAssignee: Filip Krepinsky <fkrepins>
Status: CLOSED NOTABUG QA Contact: zhou ying <yinzhou>
Severity: medium Docs Contact:
Priority: medium    
Version: 4.9CC: aos-bugs, jokerman, mfojtik
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-07-27 09:03:43 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Junqi Zhao 2021-07-22 12:51:12 UTC 
Description of problem:
create monitoring-alertmanager-edit RoleBinding for user testuser-11
# oc project openshift-monitoring; oc adm policy add-role-to-user monitoring-alertmanager-edit testuser-11; oc project default
or
# oc adm policy add-role-to-user monitoring-alertmanager-edit testuser-11 -n openshift-monitoring

check the result, roleRef.kind is ClusterRole, which is wrong, should be roleRef.kind: Role
NOTE: this issue is only happen with oc client, no such issue if we create the RoleBinding from console UI

# oc -n openshift-monitoring get RoleBinding monitoring-alertmanager-edit -oyaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  creationTimestamp: "2021-07-22T12:41:49Z"
  name: monitoring-alertmanager-edit
  namespace: openshift-monitoring
  resourceVersion: "225504"
  uid: a72aed41-e624-4690-830f-1236dedab857
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: monitoring-alertmanager-edit
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: testuser-11

# oc -n openshift-monitoring get role monitoring-alertmanager-edit -oyaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  creationTimestamp: "2021-07-22T05:26:34Z"
  name: monitoring-alertmanager-edit
  namespace: openshift-monitoring
  resourceVersion: "7822"
  uid: aef16a78-0858-4329-bcca-b9759898b073
rules:
- apiGroups:
  - monitoring.coreos.com
  resourceNames:
  - non-existant
  resources:
  - alertmanagers
  verbs:
  - patch

Version-Release number of selected component (if applicable):
# oc version
Client Version: 4.9.0-0.nightly-2021-07-21-081948
Server Version: 4.9.0-0.nightly-2021-07-21-081948
Kubernetes Version: v1.21.1+8268f88


How reproducible:
always

Steps to Reproduce:
1. see the description
2.
3.

Actual results:
roleRef.kind is ClusterRole

Expected results:
roleRef.kind is Role

Additional info:
Comment 1 Filip Krepinsky 2021-07-26 19:20:54 UTC 
According to the help: $ oc adm policy add-role-to-user -h

Add a role to users or service accounts for the current project

So the -n openshift-monitoring only specifies in which namespace the command should take place (RoleBinding should be created) 


The help also specifies that:

When --role-namespace argument is specified as a non-empty value, it MUST match the current
namespace. When role-namespace is specified, the rolebinding will reference a namespaced Role. Otherwise, the
rolebinding will reference a ClusterRole resource.

      --role-namespace='': namespace where the role is located: empty means a role defined in cluster policy


I have tested it and after adding this argument appropriate RoleBinding referencing role was created.

Can you check if the following command works on your side as well?

oc adm policy add-role-to-user monitoring-alertmanager-edit testuser-11 -n openshift-monitoring --role-namespace openshift-monitoring
Comment 2 Junqi Zhao 2021-07-27 06:30:50 UTC 
(In reply to Filip Krepinsky from comment #1)
> Can you check if the following command works on your side as well?
> 
> oc adm policy add-role-to-user monitoring-alertmanager-edit testuser-11 -n
> openshift-monitoring --role-namespace openshift-monitoring

no issue for above command
# oc -n openshift-monitoring get RoleBinding monitoring-alertmanager-edit -oyaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  creationTimestamp: "2021-07-27T06:28:38Z"
  name: monitoring-alertmanager-edit
  namespace: openshift-monitoring
  resourceVersion: "202850"
  uid: 7afdc5d2-72db-4679-803b-018493a77740
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: monitoring-alertmanager-edit
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: testuser-11
Comment 3 Filip Krepinsky 2021-07-27 09:03:43 UTC 
Ok, in that case I am closing the bug. Please open a RFE if you think current behaviour could be improved.