Description of problem: Watcher with resource RoleBinding not working: oc get rolebinding -w NAME ROLE USERS GROUPS SERVICE ACCOUNTS SUBJECTS admin /admin developer system:deployers /system:deployer deployer system:image-builders /system:image-builder builder system:image-pullers /system:image-puller system:serviceaccounts:myproject Error from server (NotFound): the server could not find the requested resource (get rolebindings) That last error shows that the standard watch URL (e.g. https://openshiftapi/oapi/v1/watch/namespaces/myproject/rolebindings) doesn't exist for that resource kind. Version-Release number of selected component (if applicable): How reproducible: All the time Steps to Reproduce: 1. oc get rolebinding -w 2. 3. Actual results: Error from server (NotFound): the server could not find the requested resource (get rolebindings) Expected results: Being able to get and watch role bindings Additional info:
Use-case is the following: - we provide egress functionality to customers in an automated way (egress: call external services either on the internet or in core it/company internal network, and this per tenant) - customer creates configmap with configuration, a controller listens to configmap changes and deploys a proxy (squid or haproxy) to a shadow project of the customers main project (this was necessary because of flexibility of nodeselector... service on internet -> proxy needs to be deployed on a node that has access to the internet, service in core it of specific customer -> deploy proxy to node that has access over vpn to that customers core it) - in order for the customer to see if the proxies are running or to have a look at the logs of the proxies, we give view rights on the shadow projects (everyone or every group that has any right on the main project is taken over to the shadow project as viewer only) - the controller I implemented creates the shadow project when the first proxy is needed (the projects are peered, meaning set netid on shadow project equal to the netid of the main project, by the way: netnamespace in openshift provides this and netnamespace does not exist in fabric8 client, I did an own implementation) - so when the shadow namespace is created, rolebindings are taken over as view - changes in rolebindings
Watching roles and rolebindings will be supported once we collapse onto the kubernetes RBAC API types. That is currently planned for the 3.7-3.8 timeframe.
Thanks Jordan for the quick feedback on where this fits in the roadmap.
Do we know if this functionality is still on track for the 3.7 OCP release?
In 3.7 we migrated to use Kubernetes RBAC, which is backed by actual objects. So watching RBAC Role Bindings should just work.
Thanks for the quick update, will see if things just work with the 3.7 release!
Shipped in GA