1477955 – Creating a rolebinding doesn't find the local role due to missing policybinding

Bug 1477955 - Creating a rolebinding doesn't find the local role due to missing policybinding

Summary: Creating a rolebinding doesn't find the local role due to missing policybinding

Keywords:
Status:	CLOSED DUPLICATE of bug 1477956
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Unknown
Sub Component:
Version:	3.5.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Target Release:	---
Assignee:	Eric Paris
QA Contact:	Johnny Liu
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-08-03 10:12 UTC by Erik Bernoth
Modified:	2017-08-03 15:51 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-08-03 15:51:02 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
for reproduction, workaround commented out (714 bytes, text/x-vhdl) 2017-08-03 10:12 UTC, Erik Bernoth	no flags	Details
View All

Description Erik Bernoth 2017-08-03 10:12:06 UTC

Created attachment 1308676 [details]
for reproduction, workaround commented out

Description of problem:
When creating a SA, (local) Role and a (local) RoleBinding, creation of the RoleBinding fails since it is not able to find the PolicyBinding.

Version-Release number of selected component (if applicable):
-

How reproducible:
Create Resources in an empty project.

Steps to Reproduce:
1. Switch to fresh project "myproject" with user "system:admin"
2. cat rb.yaml
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: operator
---
apiVersion: v1
kind: Role
metadata:
  name: xrole
rules:
- apiGroups:
  - ""
  - "batch"
  - "api"
  - "apps"
  resources:
  - "pods"
  - "jobs"
  - "statefulsets"
  verbs:
  - "get"
  - "list"
  - "create"
  - "delete"
  - "watch"
---
apiVersion: v1
kind: RoleBinding
metadata:
  name: xbinding
subjects:
- kind: ServiceAccount
  name: operator
roleRef:
  kind: Role
  name: xrole
  namespace: myproject
userNames:
- system:serviceaccount:myproject:operator
groupNames: null

3. oc create -f rb.yaml

Actual results:
serviceaccount "operator" created
role "xrole" created
Error from server (NotFound): error when creating "rb.yaml": policybinding "myproject:default" not found

Expected results:
PolicyBinding is generated
RoleBinding is created

Additional info:
It works if the PolicyBinding is created before the RoleBinding:
---
apiVersion: v1
kind: PolicyBinding
metadata:
  name: myproject:default
policyRef:
  name: default
  namespace: myproject
roleBindings: null

Comment 1 Eric Paris 2017-08-03 15:51:02 UTC


*** This bug has been marked as a duplicate of bug 1477956 ***

Note You need to log in before you can comment on or make changes to this bug.