Description of problem: Unable to disallow project creation from system:authentcated users after upgrade to 3.9. In 3.7 prior to the upgrade, we were able to protect the role after removing the group from the rolebinding. Currently in 3.9, it looks like the protect is working, but the OCP RBAC object does not exist after removing the group from the rolebinding. So when the master services are restarted, the rolebinding is re-created (not protected anymore). Version-Release number of selected component (if applicable): 3.9.14-1 How reproducible: Every time Steps to Reproduce: ~~~ [root@master-0 cloud-user]# yum list installed | grep atomic-openshift.x86_64 Repodata is over 2 weeks old. Install yum-cron? Or run: yum makecache fast atomic-openshift.x86_64 3.9.14-1.git.0.4efa2ca.el7 @rhel-7-server-ose-3.9-rpms [root@master-0 cloud-user]# oc get clusterrolebindings > before.out [root@master-0 cloud-user]# oc adm policy remove-cluster-role-from-group self-provisioner system:authenticated system:authenticated:oauth cluster role "self-provisioner" removed: ["system:authenticated" "system:authenticated:oauth"] [root@master-0 cloud-user]# oc get clusterrolebindings > after.out [root@master-0 cloud-user]# diff before.out after.out 20d19 < self-provisioners /self-provisioner system:authenticated:oauth [root@master-0 cloud-user]# yum list installed | grep atomic-openshift.x86_64 Repodata is over 2 weeks old. Install yum-cron? Or run: yum makecache fast atomic-openshift.x86_64 3.9.14-1.git.0.4efa2ca.el7 @rhel-7-server-ose-3.9-rpms [root@master-0 cloud-user]# oc get clusterrolebinding | grep self self-access-reviewers /self-access-reviewer system:authenticated, system:unauthenticated self-provisioner /self-provisioner management-infra/management-admin [root@master-0 cloud-user]# systemctl restart atomic-openshift-master-* [root@master-0 cloud-user]# oc get clusterrolebinding | grep self self-access-reviewers /self-access-reviewer system:authenticated, system:unauthenticated self-provisioner /self-provisioner management-infra/management-admin self-provisioners /self-provisioner system:authenticated:oauth [root@master-0 cloud-user]# oc adm policy remove-cluster-role-from-group self-provisioner system:authenticated system:authenticated:oauth cluster role "self-provisioner" removed: ["system:authenticated" "system:authenticated:oauth"] [root@master-0 cloud-user]# oc get clusterrolebinding | grep self self-access-reviewers /self-access-reviewer system:authenticated, system:unauthenticated self-provisioner /self-provisioner management-infra/management-admin [root@master-0 cloud-user]# oc annotate clusterrolebinding self-provisioners "openshift.io/reconcile-protect=true" --overwrite Error from server (NotFound): clusterrolebindings.authorization.openshift.io "self-provisioners" not found [root@master-0 cloud-user]# systemctl restart atomic-openshift-master-* [root@master-0 cloud-user]# oc get clusterrolebinding | grep self self-access-reviewers /self-access-reviewer system:authenticated, system:unauthenticated self-provisioner /self-provisioner management-infra/management-admin self-provisioners /self-provisioner system:authenticated:oauth [root@master-0 cloud-user]# oc annotate clusterrolebinding self-provisioners "openshift.io/reconcile-protect=true" --overwrite clusterrolebinding "self-provisioners" annotated [root@master-0 cloud-user]# systemctl restart atomic-openshift-master-* [root@master-0 cloud-user]# oc get clusterrolebinding | grep self self-access-reviewers /self-access-reviewer system:authenticated, system:unauthenticated self-provisioner /self-provisioner management-infra/management-admin self-provisioners /self-provisioner system:authenticated:oauth [root@master-0 cloud-user]# oc adm policy remove-cluster-role-from-group self-provisioner system:authenticated system:authenticated:oauth cluster role "self-provisioner" removed: ["system:authenticated" "system:authenticated:oauth"] [root@master-0 cloud-user]# oc get clusterrolebinding | grep self self-access-reviewers /self-access-reviewer system:authenticated, system:unauthenticated self-provisioner /self-provisioner management-infra/management-admin [root@master-0 cloud-user]# systemctl restart atomic-openshift-master-* [root@master-0 cloud-user]# oc get clusterrolebinding | grep self self-access-reviewers /self-access-reviewer system:authenticated, system:unauthenticated self-provisioner /self-provisioner management-infra/management-admin self-provisioners /self-provisioner system:authenticated:oauth ~~~ Actual results: rolebinding is re-created and allows users to create new projects. Expected results: rolebinding does not allow system:authenticated users to create new projects Additional info:
The correct way to do this in 3.7+ is to not rely on the oc policy commands. Instead do as follows. Save the following data as fix.yaml: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: annotations: rbac.authorization.kubernetes.io/autoupdate: "false" name: self-provisioners roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: self-provisioner Then do a "oc create -f fix.yaml"
Opened https://github.com/openshift/origin/pull/19846 as a way to address use cases like these.
Verified. When clusterrolebinding self-provisioners "openshift.io/reconcile-protect=true", the rolebinding will not be reconciled when master service restartd. # openshift version openshift v3.9.31 kubernetes v1.9.1+a0ce1bc657 etcd 3.2.16
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2018:2013
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 500 days