Description of problem: `oadm diagnostics` includes a specific warning [0] that indicates there are "extra permissions" on certain roles. This should likely be an information message, rather than a warning, as there is not anything necessarily bad about the extra permissions (might be there due to changes in the permissions of roles in the upgrades 3.2 vs 3.3) [0] WARN: [CRD1003 from diagnostic ClusterRoles@openshift/origin/pkg/diagnostics/cluster/roles.go:82] clusterrole/system:deployment-controller has changed, but the existing role has more permissions than the new role. Use the `oadm policy reconcile-cluster-roles` command to update the role to reduce permissions. Info: clusterrole/system:deployment-controller has extra permission PolicyRule{Verbs:["list"], APIGroups:[""], Resources:["replicationcontrollers"]}. Info: clusterrole/system:deployment-controller has extra permission PolicyRule{Verbs:["watch"], APIGroups:[""], Resources:["replicationcontrollers"]}. Info: clusterrole/system:deployment-controller has extra permission PolicyRule{Verbs:["get"], APIGroups:[""], Resources:["replicationcontrollers"]}. Info: clusterrole/system:deployment-controller has extra permission PolicyRule{Verbs:["update"], APIGroups:[""], Resources:["replicationcontrollers"]}. Info: clusterrole/system:deployment-controller has extra permission PolicyRule{Verbs:["create"], APIGroups:[""], Resources:["pods"]}. Info: clusterrole/system:deployment-controller has extra permission PolicyRule{Verbs:["delete"], APIGroups:[""], Resources:["pods"]}. Info: clusterrole/system:deployment-controller has extra permission PolicyRule{Verbs:["update"], APIGroups:[""], Resources:["pods"]}.
the "extra permissions" messages should be at info level, and include the --additive-only=false flag in the recommended command to run (though they should also note that they should ensure they don't need the extra permissions before they remove them)
Commit pushed to master at https://github.com/openshift/origin https://github.com/openshift/origin/commit/ebceafede31cbec87caabe93be0b9ee6e72e7062 diagnostics: make cluster role warning info, modify text bug 1381611 https://bugzilla.redhat.com/show_bug.cgi?id=1381611
This commit was merged into the origin 1.5 code, marking this as 3.5.0 target.
This has been merged into ocp and is in OCP v3.5.0.7 or newer.
Verified on # openshift version openshift v3.5.0.7+390ef18 kubernetes v1.5.2+43a9be4 etcd 3.1.0-rc.0 it's fixed: [Note] Running diagnostic: ClusterRoleBindings Description: Check that the default ClusterRoleBindings are present and contain the expected subjects Info: clusterrolebinding/cluster-readers has more subjects than expected. Use the `oadm policy reconcile-cluster-role-bindings` command to update the role binding to remove extra subjects. Info: clusterrolebinding/cluster-readers has extra subject {ServiceAccount management-infra management-admin }. Info: clusterrolebinding/self-provisioners has more subjects than expected. Use the `oadm policy reconcile-cluster-role-bindings` command to update the role binding to remove extra subjects. Info: clusterrolebinding/self-provisioners has extra subject {ServiceAccount management-infra management-admin }.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:0884