Description of problem: Add a role to the service account using -z/--serviceaccount as argument or add it using " oc policy add-role-to-user admin system:serviceaccount:wsuntest:two -n wsuntest",and then remove the service account with -z as argument ,but could not remove it successfully Version-Release number of selected component (if applicable): # oc version oc v1.0.7-287-g60781e3 kubernetes v1.2.0-alpha.1-1107-g4c8e6f4 devnenv_rhel7-2638 How reproducible: Always Steps to Reproduce: 1.Check who is admin # oc get rolebinding/admins -n wsuntest 2.Add the serviceaccounts to the role with -z # oc policy add-role-to-user admin -z=defalut --serviceaccount=three -n wsuntest 3.Check if the service accounts are added to admin role # oc get rolebinding/admins -n wsuntest 4.Remove the serviceaccounts from the role with -z # oc policy remove-role-from-user admin -z=default --serviceaccount=three -n wsuntest 5.Check if the service accounts are removed from admin role 6.Add the service account to the role without -z # oc policy add-role-to-user admin system:serviceaccount:wsuntest:two -n wsuntest 7.Check if the service accounts are added to admin role # oc get rolebinding/admins -n wsuntest 8.Remove the serice account with -z # oc policy remove-role-from-user admin -z=two -n wsuntest 9.Check if the service accounts are removed from admin role # oc get rolebinding/admins -n wsuntest Actual results: 1.# oc get rolebinding/admins -n wsuntest NAME ROLE USERS GROUPS SERVICE ACCOUNTS SUBJECTS admins /admin system:admin 3.# oc get rolebinding/admins -n wsuntest NAME ROLE USERS GROUPS SERVICE ACCOUNTS SUBJECTS admins /admin system:admin defalut, three 5.The service account "default" and "three" are not removed # oc get rolebinding/admins -n wsuntest NAME ROLE USERS GROUPS SERVICE ACCOUNTS SUBJECTS admins /admin system:admin defalut, three 7.# oc get rolebinding/admins -n wsuntest NAME ROLE USERS GROUPS SERVICE ACCOUNTS SUBJECTS admins /admin system:admin defalut, three, two 9.# oc get rolebinding/admins -n wsuntest NAME ROLE USERS GROUPS SERVICE ACCOUNTS SUBJECTS admins /admin system:admin defalut, three, two Expected results: Could remove the service account using -z Additional info:
See https://github.com/openshift/origin/pull/5730
Leaving ON_DEV until PR is in merge queue
Marking as upcoming release since this is slated for the 1.1.1 milestone
Tested this bug in devenv-rhel7_2712,now could remove the other service account using using -z/--serviceaccount as argument,but still could not remove the default service account . [root@ip-172-18-15-26 /]# oc policy add-role-to-user admin -z=defalut --serviceaccount=three -n wsuntest [root@ip-172-18-15-26 /]# oc get rolebinding/admins -n wsuntest NAME ROLE USERS GROUPS SERVICE ACCOUNTS SUBJECTS admins /admin system:admin defalut, three [root@ip-172-18-15-26 /]# oc policy remove-role-from-user admin -z=default --serviceaccount=three -n wsuntest [root@ip-172-18-15-26 /]# oc get rolebinding/admins -n wsuntest NAME ROLE USERS GROUPS SERVICE ACCOUNTS SUBJECTS admins /admin system:admin defalut
I think you have a typo in your test. Note `defalut` in the add step, but `default` in the remove step.
Verified on devenv-rhel7_2717.Now Could remove the service account using -z/--serviceaccount as argument