Description of problem: #oc adm policy remove-cluster-role-from-user cluster-admin xiaocwan There are some warning info which should be removed. "Your changes may get lost whenever a master is restarted" should only apply to system clusterrolebinding changes. But my added clusterrolebinding for normal user xiaocwan is not changing system clusterrolebinding, thus it needs not prompt the warning. Version-Release number of selected component (if applicable): oc v3.11.6 kubernetes v1.11.0+d4cacc0 How reproducible: always Steps to Reproduce: 1. # oc adm policy add-cluster-role-to-user cluster-admin xiaocwan cluster role "cluster-admin" added: "xiaocwan" 2. #oc adm policy remove-cluster-role-from-user cluster-admin xiaocwan Warning: Your changes may get lost whenever a master is restarted, unless you prevent reconciliation of this rolebinding using the following command: oc annotate clusterrolebinding.rbac cluster-admin 'rbac.authorization.kubernetes.io/autoupdate=false' --overwriteWarning: Your changes may get lost whenever a master is restarted, unless you prevent reconciliation of this rolebinding using the following command: oc annotate clusterrolebinding.rbac cluster-admins 'rbac.authorization.kubernetes.io/autoupdate=false' --overwritecluster role "cluster-admin" removed: "xiaocwan" Actual results: 2. The warning info should not display. Please also notice it is displayed twice without space in "--overwriteWarning" Expected results: 2. Since add-cluster-role-to-user does not show warning info. remove-cluster-role-from-user should remove the info as well. Additional info:
When a master is restarted,the default subjects which be removed will add back to {cluster}rolebindings,and it won't remove the subjects that you had added to {cluster}rolebindings before,so it doesn't need to add warning info when using add verb,thanks.
Still present in 4.4
FYI, following warning message seen while adding remove-cluster-role-from-group policy in Version OpenShift dedicated: 4.4.16 ======== ❯ oc adm policy remove-cluster-role-from-group self-provisioner system:authenticated:oauth Warning: Your changes may get lost whenever a master is restarted, unless you prevent reconciliation of this rolebinding using the following command: oc annotate clusterrolebinding.rbac self-provisioners 'rbac.authorization.kubernetes.io/autoupdate=false' --overwrite clusterrole.rbac.authorization.k8s.io/self-provisioner removed: "system:authenticated:oauth" ❯ oc annotate clusterrolebinding.rbac self-provisioners 'rbac.authorization.kubernetes.io/autoupdate=false' --overwrite Error from server (NotFound): clusterrolebindings.rbac.authorization.k8s.io "self-provisioners" not found ======== Currently, we have suggested customer to ignore warning message and changes applied wont rollback after master restarted. The fix will be included in oc 4.6 release.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:4196