1633101 – `oc get project name --watch` run by cluster-admin should not print all projects first

Bug 1633101 - `oc get project name --watch` run by cluster-admin should not print all projects first

Summary: `oc get project name --watch` run by cluster-admin should not print all proje...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	oc
Sub Component:
Version:	3.11.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	low
Target Milestone:	---
Target Release:	4.1.0
Assignee:	Maciej Szulik
QA Contact:	Xingxing Xia
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-09-26 08:11 UTC by Xingxing Xia
Modified:	2019-06-04 10:40 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	Cause: Project list was not properly filtered when watching. Consequence: Invoking watch on a project retured all projects. Fix: Apply proper filtering in the API. Result: Watching projects does not return list of all projects.
Clone Of:
Environment:
Last Closed:	2019-06-04 10:40:35 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2019:0758	None	None	None	2019-06-04 10:40:45 UTC

Description Xingxing Xia 2018-09-26 08:11:47 UTC

Description of problem:
`oc get project name --watch` run by cluster-admin should not print all projects first
Resource like `oc get pod name --watch` does not have the issue.

Version-Release number of selected component (if applicable):
v3.11.15

How reproducible:
Always

Steps to Reproduce:
1. Suppose cluster-admin wants to watch an existing project xxia-proj, run:
oc get project xxia-proj --watch


Actual results:
1. It prints all projects first

Expected results:
1. It needs not print all projects, because I only want to watch one project

Additional info:
Normal user of multiple projects does not has the issue

Comment 1 Juan Vallejo 2018-09-26 22:27:53 UTC

You can work around this issue by getting the namespace instead:

```
oc get namespace xxia-proj --watch
```

Comment 2 Juan Vallejo 2018-09-28 23:21:21 UTC

It appears that when watching events for a single, particular project, as a cluster admin, `watch.Until()` will return events for all other projects in the cluster, despite asking to watch a single, particular project.

I will investigate this further, for now I have a patch that handles this case at the command level [2].

1. https://github.com/kubernetes/kubernetes/blob/master/pkg/kubectl/cmd/get/get.go#L688

2. https://github.com/openshift/origin/pull/21131

Comment 3 Juan Vallejo 2018-10-04 00:02:24 UTC

Updated Origin PR: https://github.com/openshift/origin/pull/21167

Comment 4 openshift-github-bot 2018-10-06 02:52:01 UTC

Commit pushed to master at https://github.com/openshift/origin

https://github.com/openshift/origin/commit/4528aa09b789710b6efcddb6c2994ce4260763e9
fix projects when watching with selector

Bug 1633101

Filters events for projects on membership-change for a user based on a
field or label selector provided by a consumer of project events.

Comment 6 Xingxing Xia 2018-11-02 10:14:06 UTC

Checked in latest 3.11.36, issue still exists. Looks like the code only goes into 4.0? If yes, pls update Target Release and drop bug from above 3.11 advisory. Thanks

Comment 8 Xingxing Xia 2018-11-06 02:56:18 UTC

Tested 4.0.0-0.47.0, the issue is fixed.

Comment 12 errata-xmlrpc 2019-06-04 10:40:35 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:0758

Note You need to log in before you can comment on or make changes to this bug.