Description of problem: If a custom role is created it can not then be added to a group. An error message is returned. Version-Release number of selected component (if applicable): How reproducible: 100% of the time. Had multiple people reproduce on different OCP 3.2 and 3.3 clusters. Steps to Reproduce: > cat custom-role.json { "kind": "Role", "apiVersion": "v1", "metadata": { "name": "template-editor" }, "rules": [ { "verbs": [ "get", "list", "create", "update" ], "resources": [ "templates" ] } ] } > oc create -f custom-role.json > oadm policy add-role-to-group template-editor system:authenticated -n openshift Error from server: role "template-editor" not found Actual results: Using the oadm to add the custom role failed. Expected results: The role should have been added. Additional info: A work around was found if the role binding is added via an oc create command. > cat add-template-editor-to-authenticated.yml apiVersion: v1 groupNames: - system:authenticated kind: RoleBinding metadata: name: template-editor namespace: openshift roleRef: name: template-editor namespace: openshift subjects: - kind: SystemGroup name: system:authenticated userNames: null > oc create -f add-template-editor-to-authenticated.yml rolebinding "template-editor" created
to grant a role defined within a namespace, use `... add-role-to-user ... --role-namespace=<namespace containing role>`
Jordan, Where is that in the doc? ~Ian
$ oadm policy add-role-to-user --help Add a role to users or serviceaccounts for the current project Usage: oadm policy add-role-to-user ROLE (USER | -z SERVICEACCOUNT) [USER ...] [options] Examples: # Add the 'view' role to user1 for the current project oadm policy add-role-to-user view user1 # Add the 'edit' role to serviceaccount1 for the current project oadm policy add-role-to-user edit -z serviceaccount1 Options: --role-namespace='': namespace where the role is located: empty means a role defined in cluster policy -z, --serviceaccount=[]: service account in the current namespace to use as a user