Bug 1629524 - Should remove warning message for remove-cluster-role-from-user compared with add-cluster-role-to-user
Summary: Should remove warning message for remove-cluster-role-from-user compared with...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: apiserver-auth
Version: 3.11.0
Hardware: Unspecified
OS: Unspecified
medium
low
Target Milestone: ---
: 4.6.0
Assignee: Standa Laznicka
QA Contact: scheng
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-09-17 03:16 UTC by XiaochuanWang
Modified: 2023-12-15 16:10 UTC (History)
12 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: When removing cluster role from user, all rolebindings containing the role were considered instead of those just containing the user. Consequence: When a rolebinding that wouldn't change contained the `rbac.authorization.kubernetes.io/autoupdate=false` annotation, a warning about changing a managed rolebiding was issued. Fix: Only perform the annotation check on rolebindings that are going to change. Result: No unnecessary warnings on `oc adm policy remove-cluster-role-from-user`.
Clone Of:
Environment:
Last Closed: 2020-10-27 15:54:19 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift oc pull 454 0 None closed Bug 1629524: only print/update changed rolebindings when removing roles 2021-01-25 20:14:02 UTC
Red Hat Knowledge Base (Solution) 5517911 0 None None None 2020-10-27 05:43:47 UTC
Red Hat Product Errata RHBA-2020:4196 0 None None None 2020-10-27 15:54:36 UTC

Description XiaochuanWang 2018-09-17 03:16:11 UTC
Description of problem:
#oc adm policy remove-cluster-role-from-user cluster-admin xiaocwan
There are some warning info which should be removed. "Your changes may get lost whenever a master is restarted" should only apply to system clusterrolebinding changes. But my added clusterrolebinding for normal user xiaocwan is not changing system clusterrolebinding, thus it needs not prompt the warning.

Version-Release number of selected component (if applicable):
oc v3.11.6
kubernetes v1.11.0+d4cacc0

How reproducible:
always

Steps to Reproduce:
1. # oc adm policy add-cluster-role-to-user cluster-admin xiaocwan
cluster role "cluster-admin" added: "xiaocwan"

2. #oc adm policy remove-cluster-role-from-user cluster-admin xiaocwan
Warning: Your changes may get lost whenever a master is restarted, unless you prevent reconciliation of this rolebinding using the following command: oc annotate clusterrolebinding.rbac cluster-admin 'rbac.authorization.kubernetes.io/autoupdate=false' --overwriteWarning: Your changes may get lost whenever a master is restarted, unless you prevent reconciliation of this rolebinding using the following command: oc annotate clusterrolebinding.rbac cluster-admins 'rbac.authorization.kubernetes.io/autoupdate=false' --overwritecluster role "cluster-admin" removed: "xiaocwan"


Actual results:
2. The warning info should not display. Please also notice it is displayed twice without space in "--overwriteWarning"

Expected results:
2. Since add-cluster-role-to-user does not show warning info. remove-cluster-role-from-user should remove the info as well.

Additional info:

Comment 1 scheng 2018-09-17 07:21:09 UTC
When a master is restarted,the default subjects which be removed will add back to {cluster}rolebindings,and it won't remove the subjects that you had added to {cluster}rolebindings before,so it doesn't need to add warning info when using add verb,thanks.

Comment 14 ITD27M01 2020-05-19 10:18:46 UTC
Still present in 4.4

Comment 19 Amit Kumar Das 2020-10-19 06:57:20 UTC
FYI, following warning message seen while adding remove-cluster-role-from-group policy in Version OpenShift dedicated:  4.4.16

========
 ❯ oc adm policy remove-cluster-role-from-group self-provisioner system:authenticated:oauth
 Warning: Your changes may get lost whenever a master is restarted, unless you prevent reconciliation of this rolebinding using the following command: oc annotate clusterrolebinding.rbac self-provisioners 'rbac.authorization.kubernetes.io/autoupdate=false' --overwrite

clusterrole.rbac.authorization.k8s.io/self-provisioner removed: "system:authenticated:oauth"

❯ oc annotate clusterrolebinding.rbac self-provisioners 'rbac.authorization.kubernetes.io/autoupdate=false' --overwrite
 Error from server (NotFound): clusterrolebindings.rbac.authorization.k8s.io "self-provisioners" not found
========


Currently, we have suggested customer to ignore warning message and changes applied wont rollback after master restarted. The fix will be included in oc 4.6 release.

Comment 21 errata-xmlrpc 2020-10-27 15:54:19 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4196


Note You need to log in before you can comment on or make changes to this bug.