Bug 1570139 - Every oc new-project gets an error message that rolebindings system:image-puller, system:image-builders and system:deployers already exists
Summary: Every oc new-project gets an error message that rolebindings system:image-pul...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Auth
Version: 3.10.0
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: ---
: 3.10.0
Assignee: David Eads
QA Contact: Mike Fiedler
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-04-20 17:25 UTC by Mike Fiedler
Modified: 2018-07-30 19:13 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-07-30 19:13:21 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:1816 None None None 2018-07-30 19:13:51 UTC

Description Mike Fiedler 2018-04-20 17:25:50 UTC
Description of problem:

Every oc new-project gets an E level error that 3 system rolebindings already exist

E0420 17:20:46.971349       1 defaultrolebindings.go:182] project0 failed with : [rolebindings.rbac.authorization.k8s.io "system:image-pullers" already exists, rolebindings.rbac.authorization.k8s.io "system:image-builders" already exists, rolebindings.rbac.authorization.k8s.io "system:deployers" already exists]
I0420 17:20:47.055495       1 vnids.go:114] Allocated netid 6325719 for namespace "project1"                                                 
E0420 17:20:47.229087       1 defaultrolebindings.go:182] project1 failed with : [rolebindings.rbac.authorization.k8s.io "system:image-pullers" already exists, rolebindings.rbac.authorization.k8s.io "system:image-builders" already exists, rolebindings.rbac.authorization.k8s.io "system:deployers" already exists]
I0420 17:20:47.345691       1 vnids.go:114] Allocated netid 12903804 for namespace "project2"                                                
E0420 17:20:47.531643       1 defaultrolebindings.go:182] project2 failed with : [rolebindings.rbac.authorization.k8s.io "system:image-pullers" already exists, rolebindings.rbac.authorization.k8s.io "system:image-builders" already exists, rolebindings.rbac.authorization.k8s.io "system:deployers" already exists]
I0420 17:20:47.659897       1 vnids.go:114] Allocated netid 11566576 for namespace "project3"                                                
E0420 17:20:47.848781       1 defaultrolebindings.go:182] project3 failed with : [rolebindings.rbac.authorization.k8s.io "system:image-pullers" already exists, rolebindings.rbac.authorization.k8s.io "system:image-builders" already exists, rolebindings.rbac.authorization.k8s.io "system:deployers" already exists]
I0420 17:20:47.955052       1 vnids.go:114] Allocated netid 12280207 for namespace "project4"                                                
E0420 17:20:48.127354       1 defaultrolebindings.go:182] project4 failed with : [rolebindings.rbac.authorization.k8s.io "system:image-pullers" already exists, rolebindings.rbac.authorization.k8s.io "system:image-builders" already exists, rolebindings.rbac.authorization.k8s.io "system:deployers" already exists]



Version-Release number of selected component (if applicable): 3.10-0.22.0


How reproducible: Always on oc new-project


Steps to Reproduce:
1.  Setup a cluster (mine was HA on AWS:  3 master/etcd, 2 infra, 3 computes)
2.  Watch the master-controller logs while doing oc new-project


Actual results:

E0420 17:20:48.127354       1 defaultrolebindings.go:182] project4 failed with : [rolebindings.rbac.authorization.k8s.io "system:image-pullers" already exists, rolebindings.rbac.authorization.k8s.io "system:image-builders" already exists, rolebindings.rbac.authorization.k8s.io "system:deployers" already exists]

Expected results:

No errors for normal project creation

Additional info:

Comment 1 Mike Fiedler 2018-04-20 17:27:12 UTC
Starting with component=security.  Not sure if it belongs elsewhere like CLI.

Comment 2 Simo Sorce 2018-04-20 18:27:28 UTC
David,
seem like this is another fallout of your controller Pr in this area.
What should we do ?

Comment 3 David Eads 2018-04-20 18:39:34 UTC
I would suppress the error like this: https://github.com/openshift/origin/pull/19455.

Comment 4 Mo 2018-04-23 14:42:10 UTC
PR is merged.

Comment 5 Mike Fiedler 2018-05-07 19:50:25 UTC
Verified on 3.10.0-0.33.0.  No error messages present for project creation.

Comment 7 errata-xmlrpc 2018-07-30 19:13:21 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:1816


Note You need to log in before you can comment on or make changes to this bug.