Hide Forgot
Description of problem: After upgraded from OSE 3.2 to OCP 3.3, diagnostic reported there are missing expected subjects and extra subjects, and it suggest to fix the mismatch by run command "oadm policy reconcile-cluster-role-bindings" or "oadm policy reconcile-cluster-roles" . But these commands can't find the mismatch subjects and thus can't fix them. Version-Release number of selected component (if applicable): atomic-openshift-master-3.3.1.2-1.git How reproducible: always Steps to Reproduce: 1. upgrade OSE 3.2 to OCP 3.3 2. run oadm diagnostics 3. try to fix the mismatch policy issue as suggestion. Actual results: 2. diagnostic reported there are missing/extra subjects and can be fixed by 'oadm policy reconcile-xxx' [Note] Running diagnostic: ClusterRoleBindings Description: Check that the default ClusterRoleBindings are present and contain the expected subjects Info: clusterrolebinding/cluster-readers has more subjects than expected. Use the `oadm policy reconcile-cluster-role-bindings` command to update the role binding to remove extra subjects. Info: clusterrolebinding/cluster-readers has extra subject {ServiceAccount management-infra management-admin }. WARN: [CRBD1003 from diagnostic ClusterRoleBindings@openshift/origin/pkg/diagnostics/cluster/rolebindings.go:87] clusterrolebinding/self-access-reviewers is missing expected subjects. Use the `oadm policy reconcile-cluster-role-bindings` command to update the role binding to include expected subjects. Info: clusterrolebinding/self-access-reviewers is missing subject {SystemGroup system:authenticated }. Info: clusterrolebinding/self-access-reviewers is missing subject {SystemGroup system:unauthenticated }. Info: clusterrolebinding/self-provisioners has more subjects than expected. Use the `oadm policy reconcile-cluster-role-bindings` command to update the role binding to remove extra subjects. Info: clusterrolebinding/self-provisioners has extra subject {ServiceAccount management-infra management-admin }. WARN: [CRBD1003 from diagnostic ClusterRoleBindings@openshift/origin/pkg/diagnostics/cluster/rolebindings.go:87] clusterrolebinding/system:build-strategy-jenkinspipeline-binding is missing expected subjects. Use the `oadm policy reconcile-cluster-role-bindings` command to update the role binding to include expected subjects. Info: clusterrolebinding/system:build-strategy-jenkinspipeline-binding is missing subject {SystemGroup system:authenticated }. [Note] Running diagnostic: ClusterRoles Description: Check that the default ClusterRoles are present and contain the expected permissions WARN: [CRD1003 from diagnostic ClusterRoles@openshift/origin/pkg/diagnostics/cluster/roles.go:82] clusterrole/cluster-reader has changed, but the existing role has more permissions than the new role. Use the `oadm policy reconcile-cluster-roles` command to update the role to reduce permissions. Info: clusterrole/cluster-reader has extra permission PolicyRule{Verbs:["get"], APIGroups:[""], Resources:["imagestreamimports"]}. Info: clusterrole/cluster-reader has extra permission PolicyRule{Verbs:["list"], APIGroups:[""], Resources:["imagestreamimports"]}. Info: clusterrole/cluster-reader has extra permission PolicyRule{Verbs:["watch"], APIGroups:[""], Resources:["imagestreamimports"]}. Info: clusterrole/cluster-reader has extra permission PolicyRule{Verbs:["get"], APIGroups:[""], Resources:["localsubjectaccessreviews"]}. Info: clusterrole/cluster-reader has extra permission PolicyRule{Verbs:["list"], APIGroups:[""], Resources:["localsubjectaccessreviews"]}. Info: clusterrole/cluster-reader has extra permission PolicyRule{Verbs:["watch"], APIGroups:[""], Resources:["localsubjectaccessreviews"]}. Info: clusterrole/cluster-reader has extra permission PolicyRule{Verbs:["get"], APIGroups:[""], Resources:["buildconfigs/instantiate"]}. Info: clusterrole/cluster-reader has extra permission PolicyRule{Verbs:["list"], APIGroups:[""], Resources:["buildconfigs/instantiate"]}. Info: clusterrole/cluster-reader has extra permission PolicyRule{Verbs:["watch"], APIGroups:[""], Resources:["buildconfigs/instantiate"]}. Info: clusterrole/cluster-reader has extra permission PolicyRule{Verbs:["list"], APIGroups:[""], Resources:["generatedeploymentconfigs"]}. Info: clusterrole/cluster-reader has extra permission PolicyRule{Verbs:["watch"], APIGroups:[""], Resources:["generatedeploymentconfigs"]}. Info: clusterrole/cluster-reader has extra permission PolicyRule{Verbs:["get"], APIGroups:[""], Resources:["generatedeploymentconfigs"]}. Info: clusterrole/cluster-reader has extra permission PolicyRule{Verbs:["get"], APIGroups:[""], Resources:["builds/clone"]}. Info: clusterrole/cluster-reader has extra permission PolicyRule{Verbs:["list"], APIGroups:[""], Resources:["builds/clone"]}. Info: clusterrole/cluster-reader has extra permission PolicyRule{Verbs:["watch"], APIGroups:[""], Resources:["builds/clone"]}. Info: clusterrole/cluster-reader has extra permission PolicyRule{Verbs:["get"], APIGroups:[""], Resources:["oauthclients"]}. Info: clusterrole/cluster-reader has extra permission PolicyRule{Verbs:["list"], APIGroups:[""], Resources:["oauthclients"]}. Info: clusterrole/cluster-reader has extra permission PolicyRule{Verbs:["watch"], APIGroups:[""], Resources:["oauthclients"]}. Info: clusterrole/cluster-reader has extra permission PolicyRule{Verbs:["get"], APIGroups:[""], Resources:["localresourceaccessreviews"]}. Info: clusterrole/cluster-reader has extra permission PolicyRule{Verbs:["list"], APIGroups:[""], Resources:["localresourceaccessreviews"]}. Info: clusterrole/cluster-reader has extra permission PolicyRule{Verbs:["watch"], APIGroups:[""], Resources:["localresourceaccessreviews"]}. Info: clusterrole/cluster-reader has extra permission PolicyRule{Verbs:["get"], APIGroups:[""], Resources:["minions"]}. Info: clusterrole/cluster-reader has extra permission PolicyRule{Verbs:["list"], APIGroups:[""], Resources:["minions"]}. Info: clusterrole/cluster-reader has extra permission PolicyRule{Verbs:["watch"], APIGroups:[""], Resources:["minions"]}. Info: clusterrole/cluster-reader has extra permission PolicyRule{Verbs:["get"], APIGroups:[""], Resources:["subjectaccessreviews"]}. Info: clusterrole/cluster-reader has extra permission PolicyRule{Verbs:["list"], APIGroups:[""], Resources:["subjectaccessreviews"]}. Info: clusterrole/cluster-reader has extra permission PolicyRule{Verbs:["watch"], APIGroups:[""], Resources:["subjectaccessreviews"]}. Info: clusterrole/cluster-reader has extra permission PolicyRule{Verbs:["get"], APIGroups:[""], Resources:["imagestreammappings"]}. Info: clusterrole/cluster-reader has extra permission PolicyRule{Verbs:["list"], APIGroups:[""], Resources:["imagestreammappings"]}. Info: clusterrole/cluster-reader has extra permission PolicyRule{Verbs:["watch"], APIGroups:[""], Resources:["imagestreammappings"]}. Info: clusterrole/cluster-reader has extra permission PolicyRule{Verbs:["get"], APIGroups:[""], Resources:["deployments"]}. Info: clusterrole/cluster-reader has extra permission PolicyRule{Verbs:["list"], APIGroups:[""], Resources:["deployments"]}. Info: clusterrole/cluster-reader has extra permission PolicyRule{Verbs:["watch"], APIGroups:[""], Resources:["deployments"]}. Info: clusterrole/cluster-reader has extra permission PolicyRule{Verbs:["get"], APIGroups:[""], Resources:["resourceaccessreviews"]}. Info: clusterrole/cluster-reader has extra permission PolicyRule{Verbs:["list"], APIGroups:[""], Resources:["resourceaccessreviews"]}. Info: clusterrole/cluster-reader has extra permission PolicyRule{Verbs:["watch"], APIGroups:[""], Resources:["resourceaccessreviews"]}. Info: clusterrole/cluster-reader has extra permission PolicyRule{Verbs:["get"], APIGroups:[""], Resources:["buildconfigs/instantiatebinary"]}. Info: clusterrole/cluster-reader has extra permission PolicyRule{Verbs:["list"], APIGroups:[""], Resources:["buildconfigs/instantiatebinary"]}. Info: clusterrole/cluster-reader has extra permission PolicyRule{Verbs:["watch"], APIGroups:[""], Resources:["buildconfigs/instantiatebinary"]}. Info: clusterrole/cluster-reader has extra permission PolicyRule{Verbs:["watch"], APIGroups:[""], Resources:["deploymentconfigrollbacks"]}. Info: clusterrole/cluster-reader has extra permission PolicyRule{Verbs:["get"], APIGroups:[""], Resources:["deploymentconfigrollbacks"]}. Info: clusterrole/cluster-reader has extra permission PolicyRule{Verbs:["list"], APIGroups:[""], Resources:["deploymentconfigrollbacks"]}. 3. oadm policy reconcile-XX couldn't list all missing and extra subjects. Expected results: Openshift should provide a method to fix the missing and extra subjects. Additional info:
Adding Luke and Jordan, can you confirm this is an issue with what `diagnostics` suggest, or an actual issue with the command?
extra permissions should be an info message, not a warning we might want to consider removing the message about the extra subjects... that's expected in normal usage. the messages about the commands to run aren't copy/pasteable... you need to pass --additive-only=false to remove extra permissions or subjects, and --confirm to commit the changes, not just preview them. Not sure whether the goal should be to give people copy/paste commands when they may not understand the implications of running them
Oh, I miss the --additive-only=false. It will be more clear if there is such options in messages.
I'm still seeing something similar after an upgrade to 3.4
OCP 3.6-3.10 is no longer on full support [1]. Marking un-triaged bugs CLOSED DEFERRED. If you have a customer case with a support exception or have reproduced on 3.11+, please reopen and include those details. When reopening, please set the Version to the appropriate version where reproduced. [1]: https://access.redhat.com/support/policy/updates/openshift