Bug 1435132 - [yHlzD0NV] RoleBindingRestriction object is not deleted after namespace is deleted
Summary: [yHlzD0NV] RoleBindingRestriction object is not deleted after namespace is de...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Auth
Version: 3.5.0
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
: ---
Assignee: Mo
QA Contact: Chuan Yu
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-03-23 08:58 UTC by Chuan Yu
Modified: 2017-07-24 14:11 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: Origin's namespace finalizer did not delete RoleBindingRestriction before namespace deletion. Consequence: Orphaned RoleBindingRestrictions were left in etcd and could cause issues if the openshift.io/RestrictSubjectBindings admission plugin was enabled. Fix: Delete RoleBindingRestriction before namespace finalization. Result: RoleBindingRestrictions are deleted when a namespace is deleted.
Clone Of:
Environment:
Last Closed: 2017-04-12 19:14:58 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:0884 normal SHIPPED_LIVE Red Hat OpenShift Container Platform 3.5 RPM Release Advisory 2017-04-12 22:50:07 UTC
Github openshift origin pull 13563 None None None 2017-03-29 11:33:08 UTC
Github openshift origin pull 13588 None None None 2017-03-30 18:08:22 UTC
Github openshift origin pull 13589 None None None 2017-03-30 18:08:56 UTC

Description Chuan Yu 2017-03-23 08:58:54 UTC 
Description of problem:
RoleBindingRestriction not being deleted when namespaces are removed

Version-Release number of selected component (if applicable):
# openshift version
openshift v3.5.0.55
kubernetes v1.5.2+43a9be4
etcd 3.1.0

How reproducible:
always

Steps to Reproduce:
1.create rolebindingrestriction by cluster-admin, 
oc create -f -<<EOF -n test
apiVersion: v1
kind: RoleBindingRestriction
metadata:
  name: match-groups
spec:
  grouprestriction:
    groups: ["groups-rolebindingrestriction"]
EOF
2.Delete the namespace 'test' by cluster-admin or project admin
3.

Actual results:
When the namespaces are removed, the RoleBindingRestriction not being deleted.
oc get rolebindingrestriction --all-namespaces
NAMESPACE      NAME      SUBJECT TYPE   SUBJECTS
match-groups   Group     groups-rolebindingrestriction

Expected results:
When the namespaces are removed, the RoleBindingRestriction should be deleted also.

Additional info:
Comment 1 Jordan Liggitt 2017-03-23 14:20:09 UTC 
need to be added to https://github.com/openshift/origin/blob/master/pkg/project/controller/controller.go#L55

Also need a test to ensure content is removed

Also need a test to iterate over all registered origin resources to ensure this doesn't reoccur
Comment 2 Wang Haoran 2017-03-24 02:59:40 UTC 
This also will cause the project with same name cannot be created again with error:
$ oc new-project test
Error from server (InternalError): Internal error occurred: rolebindings "system:image-pullers" is forbidden: rolebindings to SystemGroup "system:serviceaccounts:test" are not allowed in project "test"
Comment 3 Michal Fojtik 2017-03-24 10:01:32 UTC 
Miciah, are you working on this? Seems like something PM team should be addressing :-)
Comment 10 Chuan Yu 2017-03-31 09:06:33 UTC 
As there no new 3.5 puddle available, set the status to modified first.
Comment 12 Chuan Yu 2017-04-06 08:02:38 UTC 
Verified with 3.5.5.2,
# openshift version
openshift v3.5.5.2
kubernetes v1.5.2+43a9be4
etcd 3.1.0
Comment 14 errata-xmlrpc 2017-04-12 19:14:58 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:0884
Note You need to log in before you can comment on or make changes to this bug.