This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 1477955 - Creating a rolebinding doesn't find the local role due to missing policybinding
Creating a rolebinding doesn't find the local role due to missing policybinding
Status: CLOSED DUPLICATE of bug 1477956
Product: OpenShift Container Platform
Classification: Red Hat
Component: Unknown (Show other bugs)
3.5.1
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Eric Paris
Johnny Liu
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-08-03 06:12 EDT by Erik Bernoth
Modified: 2017-08-03 11:51 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-08-03 11:51:02 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
for reproduction, workaround commented out (714 bytes, text/x-vhdl)
2017-08-03 06:12 EDT, Erik Bernoth
no flags Details

  None (edit)
Description Erik Bernoth 2017-08-03 06:12:06 EDT
Created attachment 1308676 [details]
for reproduction, workaround commented out

Description of problem:
When creating a SA, (local) Role and a (local) RoleBinding, creation of the RoleBinding fails since it is not able to find the PolicyBinding.

Version-Release number of selected component (if applicable):
-

How reproducible:
Create Resources in an empty project.

Steps to Reproduce:
1. Switch to fresh project "myproject" with user "system:admin"
2. cat rb.yaml
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: operator
---
apiVersion: v1
kind: Role
metadata:
  name: xrole
rules:
- apiGroups:
  - ""
  - "batch"
  - "api"
  - "apps"
  resources:
  - "pods"
  - "jobs"
  - "statefulsets"
  verbs:
  - "get"
  - "list"
  - "create"
  - "delete"
  - "watch"
---
apiVersion: v1
kind: RoleBinding
metadata:
  name: xbinding
subjects:
- kind: ServiceAccount
  name: operator
roleRef:
  kind: Role
  name: xrole
  namespace: myproject
userNames:
- system:serviceaccount:myproject:operator
groupNames: null

3. oc create -f rb.yaml

Actual results:
serviceaccount "operator" created
role "xrole" created
Error from server (NotFound): error when creating "rb.yaml": policybinding "myproject:default" not found

Expected results:
PolicyBinding is generated
RoleBinding is created

Additional info:
It works if the PolicyBinding is created before the RoleBinding:
---
apiVersion: v1
kind: PolicyBinding
metadata:
  name: myproject:default
policyRef:
  name: default
  namespace: myproject
roleBindings: null
Comment 1 Eric Paris 2017-08-03 11:51:02 EDT

*** This bug has been marked as a duplicate of bug 1477956 ***

Note You need to log in before you can comment on or make changes to this bug.