Description of problem: Add a role to the service accounts using -z/--serviceaccount as argument,and then remove them using -z/--serviceaccount as argument,or remove them using "oc policy remove-role-from-user admin system:serviceaccount:wsuntest:default",the service account could not be removed. Version-Release number of selected component (if applicable): # oc version oc v1.0.7-287-g60781e3 kubernetes v1.2.0-alpha.1-1107-g4c8e6f4 devnenv_rhel7-2638 How reproducible: Always Steps to Reproduce: 1.Check who is admin # oc get rolebinding/admins -n wsuntest 2.Add the serviceaccounts to the role # oc policy add-role-to-user admin -z=defalut --serviceaccount=three -n wsuntest 3.Check if the service accounts are added to admin role # oc get rolebinding/admins -n wsuntest 4.Remove the serviceaccounts from the role with -z/--serviceaccount # oc policy remove-role-from-user admin -z=default --serviceaccount=three -n wsuntest 5.Check if the service accounts are removed from admin role # oc get rolebinding/admins -n wsuntest 6.Remove the serviceaccounts from the role whithout -z/--serviceaccount oc policy remove-role-from-user admin system:serviceaccount:wsuntest:default -n wsuntest 7.Check if the service accounts are removed from admin role # oc get rolebinding/admins -n wsuntest 8.Add the serviceaccounts to the role,but don't use -z # oc policy add-role-to-user admin system:serviceaccount:wsuntest:one -n wsuntest 9.Check if the service accounts are removed from admin role # oc get rolebinding/admins -n wsuntest 10.Remove the serviceaccounts from the role # oc policy remove-role-from-user admin system:serviceaccount:wsuntest:one -n wsuntest 11.Check if the service accounts are removed from admin role Actual results: 1.# oc get rolebinding/admins -n wsuntest NAME ROLE USERS GROUPS SERVICE ACCOUNTS SUBJECTS admins /admin system:admin 3.# oc get rolebinding/admins -n wsuntest NAME ROLE USERS GROUPS SERVICE ACCOUNTS SUBJECTS admins /admin system:admin defalut, three 5# oc get rolebinding/admins -n wsuntest NAME ROLE USERS GROUPS SERVICE ACCOUNTS SUBJECTS admins /admin system:admin defalut, three 7.# oc get rolebinding/admins -n wsuntest NAME ROLE USERS GROUPS SERVICE ACCOUNTS SUBJECTS admins /admin system:admin defalut, three 9.# oc get rolebinding/admins -n wsuntest NAME ROLE USERS GROUPS SERVICE ACCOUNTS SUBJECTS admins /admin system:admin defalut, three, one 11.The service account "one" is removed # oc get rolebinding/admins -n wsuntest NAME ROLE USERS GROUPS SERVICE ACCOUNTS SUBJECTS admins /admin system:admin defalut, three Expected results: 5.7 Could remove "default" and "three" service accounts Additional info:
Also fixed by https://github.com/openshift/origin/pull/5730 . Be sure to fix the `defalut` typo.
Marking as upcoming release since this is slated for the 1.1.1 milestone
Tested this bug against the devenv-rhel7_2717,now could remove the service account if using -z/--serviceaccount as argument to add role.After the bug is moved to ON_QA,I'll verify it.
According to #Comment 3 ,verified this bug.