Bug 1984942

Summary: ApplyClusterRoleBinding triggers boundsError when adding new subject
Product: OpenShift Container Platform Reporter: Fabio Bertinatto <fbertina>
Component: StorageAssignee: Jonathan Dobson <jdobson>
Storage sub component: Operators QA Contact: Wei Duan <wduan>
Status: CLOSED ERRATA Docs Contact:
Severity: medium    
Priority: medium CC: aos-bugs, jsafrane, wduan
Version: 4.9   
Target Milestone: ---   
Target Release: 4.9.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-18 17:40:51 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Fabio Bertinatto 2021-07-22 14:02:54 UTC 
Details: https://github.com/openshift/vmware-vsphere-csi-driver/pull/12#issuecomment-884934118
Comment 1 Jan Safranek 2021-07-23 15:07:00 UTC 
It's probably a bug in library-go ApplyClusterRoleBinding / ApplyRoleBinding.
Comment 2 Jonathan Dobson 2021-07-29 22:24:58 UTC 
vmware-vsphere-csi-driver-operator was hitting a bounds error:

E0729 20:29:23.814759       1 runtime.go:78] Observed a panic: runtime.boundsError{x:1, y:1,
 signed:true, code:0x0} (runtime error: index out of range [1] with length 1)
goroutine 614 [running]:
k8s.io/apimachinery/pkg/util/runtime.logPanic(0x299e460, 0xc0016fc720)
        k8s.io/apimachinery.1/pkg/util/runtime/runtime.go:74 +0x95
k8s.io/apimachinery/pkg/util/runtime.HandleCrash(0xc0015bbd58, 0x1, 0x1)
        k8s.io/apimachinery.1/pkg/util/runtime/runtime.go:48 +0x86
panic(0x299e460, 0xc0016fc720)
        runtime/panic.go:965 +0x1b9
github.com/openshift/library-go/pkg/operator/resource/resourceapply.ApplyClusterRoleBinding(
0x2f904d0, 0xc000645780, 0x7f41280db860, 0xc000c24f90, 0x2fa5c40, 0xc0002058c0, 0xc0002e4f20
, 0xc0008c9680, 0x1, 0x2f3afa0, ...)

Because we added a new ServiceAccount to the ClusterRoleBinding:

https://github.com/openshift/vmware-vsphere-csi-driver-operator/pull/32/files

And this loop in ApplyClusterRoleBinding has a mistake. existingCopy.Subjects[i] should be requiredCopy.Subjects[i].

https://github.com/openshift/library-go/blob/331c921007eb14f1292c5b727da61fb2e7f5be6a/pkg/operator/resource/resourceapply/rbac.go#L83

	for i := range requiredCopy.Subjects {
		if existingCopy.Subjects[i].Kind == "User" {
			requiredCopy.Subjects[i].APIGroup = rbacv1.GroupName
		}
	}

existingCopy.Subjects has 1 entry in this case, and requiredCopy.Subjects has 2 entries. So existingCopy.Subjects[1] triggers the panic.
Comment 3 Jonathan Dobson 2021-08-03 14:12:14 UTC 
Need to bump library-go in vmware-vsphere-csi-driver-operator to resolve this bug, moving this back to assigned.
Comment 5 Wei Duan 2021-08-20 02:00:37 UTC 
Verified pass on 4.9.0-0.nightly-2021-08-19-184748
Comment 8 errata-xmlrpc 2021-10-18 17:40:51 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.9.0 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:3759