Bug 1284501 - Missing "reconcile-cluster-role-bindings" for upgrade
Missing "reconcile-cluster-role-bindings" for upgrade
Product: OpenShift Container Platform
Classification: Red Hat
Component: Documentation (Show other bugs)
Unspecified Unspecified
high Severity medium
: ---
: ---
Assigned To: Alex Dellapenta
Vikram Goyal
Vikram Goyal
Depends On:
Blocks: 1267746
  Show dependency treegraph
Reported: 2015-11-23 08:46 EST by Eduardo Minguez
Modified: 2016-09-28 07:38 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2016-09-28 07:38:31 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Eduardo Minguez 2015-11-23 08:46:26 EST
Document URL: https://docs.openshift.com/enterprise/3.1/install_config/upgrades.html#updating-policy-definitions

Section Number and Name: Updating Policy Definitions

Describe the issue: If you don't upgrade the cluster-role-bindings, there are some commands that will fail (oc logs, oc rsh)

Suggestions for improvement: Add how to reconcile cluster-role-bindings and sccs if needed

Additional information:
Comment 1 Jordan Liggitt 2015-11-23 10:03:09 EST
For reference, this is the command ansible runs when upgrading. It updates role bindings, only adding permissions, and not adding any permissions to all users (authenticated or unauthenticated) by default:

oadm policy reconcile-cluster-role-bindings \
  --exclude-groups=system:authenticated \
  --exclude-groups=system:unauthenticated \
  --exclude-users=system:anonymous \
  --additive-only=true \
Comment 2 Alex Dellapenta 2015-11-24 09:39:03 EST
This is being handled in https://github.com/openshift/openshift-docs/pull/1251.
Comment 3 Anping Li 2016-03-09 21:12:48 EST
There is  oadm policy reconcile-cluster-role-bindings in openshift-docs. so move to Verified

Note You need to log in before you can comment on or make changes to this bug.