Bug 1580538 - Unable to disallow project creation from system:authentcated users after upgrade to 3.9 [NEEDINFO]
Summary: Unable to disallow project creation from system:authentcated users after upgr...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Auth
Version: 3.9.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
: 3.9.z
Assignee: Simo Sorce
QA Contact: Chuan Yu
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-05-21 17:51 UTC by emahoney
Modified: 2018-06-27 18:02 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
undefined
Clone Of:
Environment:
Last Closed: 2018-06-27 18:02:09 UTC
Target Upstream Version:
mkhan: needinfo? (emahoney)


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:2013 normal SHIPPED_LIVE Important: OpenShift Container Platform 3.9 security, bug fix, and enhancement update 2018-06-27 22:01:43 UTC

Description emahoney 2018-05-21 17:51:39 UTC
Description of problem: Unable to disallow project creation from system:authentcated users after upgrade to 3.9. In 3.7 prior to the upgrade, we were able to protect the role after removing the group from the rolebinding. Currently in 3.9, it looks like the protect is working, but the OCP RBAC object does not exist after removing the group from the rolebinding. So when the master services are restarted, the rolebinding is re-created (not protected anymore). 


Version-Release number of selected component (if applicable):
3.9.14-1

How reproducible:
Every time


Steps to Reproduce:

~~~
[root@master-0 cloud-user]# yum list installed | grep atomic-openshift.x86_64
Repodata is over 2 weeks old. Install yum-cron? Or run: yum makecache fast
atomic-openshift.x86_64          3.9.14-1.git.0.4efa2ca.el7  @rhel-7-server-ose-3.9-rpms
[root@master-0 cloud-user]# oc get clusterrolebindings > before.out
[root@master-0 cloud-user]# oc adm policy remove-cluster-role-from-group self-provisioner system:authenticated system:authenticated:oauth
cluster role "self-provisioner" removed: ["system:authenticated" "system:authenticated:oauth"]
[root@master-0 cloud-user]# oc get clusterrolebindings > after.out
[root@master-0 cloud-user]# diff before.out after.out 
20d19
< self-provisioners                                                     /self-provisioner                                                                                       system:authenticated:oauth  
 
[root@master-0 cloud-user]# yum list installed | grep atomic-openshift.x86_64
Repodata is over 2 weeks old. Install yum-cron? Or run: yum makecache fast
atomic-openshift.x86_64          3.9.14-1.git.0.4efa2ca.el7  @rhel-7-server-ose-3.9-rpms

[root@master-0 cloud-user]# oc get clusterrolebinding | grep self
self-access-reviewers                                                 /self-access-reviewer                                                                                   system:authenticated, system:unauthenticated                                                                                      
self-provisioner                                                      /self-provisioner                                                                                                                                      management-infra/management-admin    
                                              
[root@master-0 cloud-user]# systemctl restart atomic-openshift-master-*

[root@master-0 cloud-user]# oc get clusterrolebinding | grep self
self-access-reviewers                                                 /self-access-reviewer                                                                                   system:authenticated, system:unauthenticated                                                                                      
self-provisioner                                                      /self-provisioner                                                                                                                                      management-infra/management-admin                                                  
self-provisioners                                                     /self-provisioner                                                                                       system:authenticated:oauth                         
                                                                               
[root@master-0 cloud-user]# oc adm policy remove-cluster-role-from-group self-provisioner system:authenticated system:authenticated:oauth
cluster role "self-provisioner" removed: ["system:authenticated" "system:authenticated:oauth"]

[root@master-0 cloud-user]# oc get clusterrolebinding | grep self
self-access-reviewers                                                 /self-access-reviewer                                                                                   system:authenticated, system:unauthenticated                                                                                      
self-provisioner                                                      /self-provisioner                                                                                                                                      management-infra/management-admin  
                                                
[root@master-0 cloud-user]# oc annotate clusterrolebinding self-provisioners "openshift.io/reconcile-protect=true" --overwrite
Error from server (NotFound): clusterrolebindings.authorization.openshift.io "self-provisioners" not found

[root@master-0 cloud-user]# systemctl restart atomic-openshift-master-*

[root@master-0 cloud-user]# oc get clusterrolebinding | grep self
self-access-reviewers                                                 /self-access-reviewer                                                                                   system:authenticated, system:unauthenticated                                                                                      
self-provisioner                                                      /self-provisioner                                                                                                                                      management-infra/management-admin                                                  
self-provisioners                                                     /self-provisioner                                                                                       system:authenticated:oauth                
                                                                                        
[root@master-0 cloud-user]# oc annotate clusterrolebinding self-provisioners "openshift.io/reconcile-protect=true" --overwrite
clusterrolebinding "self-provisioners" annotated

[root@master-0 cloud-user]# systemctl restart atomic-openshift-master-*

[root@master-0 cloud-user]# oc get clusterrolebinding | grep self
self-access-reviewers                                                 /self-access-reviewer                                                                                   system:authenticated, system:unauthenticated                                                                                      
self-provisioner                                                      /self-provisioner                                                                                                                                      management-infra/management-admin                                                  
self-provisioners                                                     /self-provisioner                                                                                       system:authenticated:oauth                                                   
                                                     
[root@master-0 cloud-user]# oc adm policy remove-cluster-role-from-group self-provisioner system:authenticated system:authenticated:oauth
cluster role "self-provisioner" removed: ["system:authenticated" "system:authenticated:oauth"]

[root@master-0 cloud-user]# oc get clusterrolebinding | grep self
self-access-reviewers                                                 /self-access-reviewer                                                                                   system:authenticated, system:unauthenticated                                                                                      
self-provisioner                                                      /self-provisioner                                                                                                                                      management-infra/management-admin                                
                  
[root@master-0 cloud-user]# systemctl restart atomic-openshift-master-*

[root@master-0 cloud-user]# oc get clusterrolebinding | grep self
self-access-reviewers                                                 /self-access-reviewer                                                                                   system:authenticated, system:unauthenticated                                                                                      
self-provisioner                                                      /self-provisioner                                                                                                                                      management-infra/management-admin                                                  
self-provisioners                                                     /self-provisioner                                                                                       system:authenticated:oauth                                                                                                        
~~~


Actual results: rolebinding is re-created and allows users to create new projects. 


Expected results:  rolebinding does not allow system:authenticated users to create new projects


Additional info:

Comment 1 Mo 2018-05-25 12:55:44 UTC
The correct way to do this in 3.7+ is to not rely on the oc policy commands.  Instead do as follows.

Save the following data as fix.yaml:



apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "false"
  name: self-provisioners
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: self-provisioner




Then do a "oc create -f fix.yaml"

Comment 2 Simo Sorce 2018-05-25 13:53:55 UTC
Opened https://github.com/openshift/origin/pull/19846 as a way to address use cases like these.

Comment 4 Chuan Yu 2018-06-13 08:42:34 UTC
Verified.

When clusterrolebinding self-provisioners "openshift.io/reconcile-protect=true", the rolebinding will not be reconciled when master service restartd.

# openshift version
openshift v3.9.31
kubernetes v1.9.1+a0ce1bc657
etcd 3.2.16

Comment 6 errata-xmlrpc 2018-06-27 18:02:09 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:2013


Note You need to log in before you can comment on or make changes to this bug.