Description of problem: Every oc new-project gets an E level error that 3 system rolebindings already exist E0420 17:20:46.971349 1 defaultrolebindings.go:182] project0 failed with : [rolebindings.rbac.authorization.k8s.io "system:image-pullers" already exists, rolebindings.rbac.authorization.k8s.io "system:image-builders" already exists, rolebindings.rbac.authorization.k8s.io "system:deployers" already exists] I0420 17:20:47.055495 1 vnids.go:114] Allocated netid 6325719 for namespace "project1" E0420 17:20:47.229087 1 defaultrolebindings.go:182] project1 failed with : [rolebindings.rbac.authorization.k8s.io "system:image-pullers" already exists, rolebindings.rbac.authorization.k8s.io "system:image-builders" already exists, rolebindings.rbac.authorization.k8s.io "system:deployers" already exists] I0420 17:20:47.345691 1 vnids.go:114] Allocated netid 12903804 for namespace "project2" E0420 17:20:47.531643 1 defaultrolebindings.go:182] project2 failed with : [rolebindings.rbac.authorization.k8s.io "system:image-pullers" already exists, rolebindings.rbac.authorization.k8s.io "system:image-builders" already exists, rolebindings.rbac.authorization.k8s.io "system:deployers" already exists] I0420 17:20:47.659897 1 vnids.go:114] Allocated netid 11566576 for namespace "project3" E0420 17:20:47.848781 1 defaultrolebindings.go:182] project3 failed with : [rolebindings.rbac.authorization.k8s.io "system:image-pullers" already exists, rolebindings.rbac.authorization.k8s.io "system:image-builders" already exists, rolebindings.rbac.authorization.k8s.io "system:deployers" already exists] I0420 17:20:47.955052 1 vnids.go:114] Allocated netid 12280207 for namespace "project4" E0420 17:20:48.127354 1 defaultrolebindings.go:182] project4 failed with : [rolebindings.rbac.authorization.k8s.io "system:image-pullers" already exists, rolebindings.rbac.authorization.k8s.io "system:image-builders" already exists, rolebindings.rbac.authorization.k8s.io "system:deployers" already exists] Version-Release number of selected component (if applicable): 3.10-0.22.0 How reproducible: Always on oc new-project Steps to Reproduce: 1. Setup a cluster (mine was HA on AWS: 3 master/etcd, 2 infra, 3 computes) 2. Watch the master-controller logs while doing oc new-project Actual results: E0420 17:20:48.127354 1 defaultrolebindings.go:182] project4 failed with : [rolebindings.rbac.authorization.k8s.io "system:image-pullers" already exists, rolebindings.rbac.authorization.k8s.io "system:image-builders" already exists, rolebindings.rbac.authorization.k8s.io "system:deployers" already exists] Expected results: No errors for normal project creation Additional info:
Starting with component=security. Not sure if it belongs elsewhere like CLI.
David, seem like this is another fallout of your controller Pr in this area. What should we do ?
I would suppress the error like this: https://github.com/openshift/origin/pull/19455.
PR is merged.
Verified on 3.10.0-0.33.0. No error messages present for project creation.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:1816