Description of problem: Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: $ oc new-project hidden $ oc delete rolebinding admin Actual results: a user can create a project, and then delete the rolebinding admin in that project. This effectively removes the ability for dedicated admins to see that the project exists. Expected results: Dedicated-admins should still have the ability to view and add rolebindings for admin. Additional info:
There is supposed to be a controller that ensures dedicated admins continuously have permissions in all appropriate projects
That is correct - the dedicated admin service will recreate that rolebinding at its sync interval of 30 minutes. Is that not working?
This did resolve the issue. Is this a part of the atomic-openshift-master-controllers service? If not, can we get a little more details about it?
Its part of openshift-dedicated-role.service This is the service that is responsible for creating the roles and making sure that it is assigned to the cluster role as well as the project role for each user project.
Eric: Once verified that your requirements are satisfied, please close this bug.
That makes sense. Thanks Abhishek!