Description of problem: OCP 3.11 documentation says 'To add or update custom roles and permissions, it is strongly recommended to use 'oc auth reconcile' command' To update custom roles it is absolutely logical to use 'oc auth reconcile' command since it will append new verbs to custom role instead of deleting old verbs and adding new verbs. I don't think the same command should be our recommendation while creating a custom role because if there is a custom role with same name as your new role present in the environment then it will just update the role. Cluster admin would not be notified that a custom role with same name already exists in the environment. Which in turn might provide extended permissions to user/SA attached to this custom role. Version-Release number of selected component (if applicable): - Openshift Container Platform 3.11 How reproducible: - Always Steps to Reproduce: 1. Create a custom role using 'oc auth reconcile' command 2. Create another custom role with same name but different definition than the first custom role. 3. You should be able to see 'oc auth reconcile' command creates a custom role if there is no custom role with same name otherwise it updates the existing role. Actual results: - 'oc auth reconcile' command does not notify if a custom role with same name already exists. Expected results: - It should notify cluster admin Additional info: Document URL: https://docs.openshift.com/container-platform/3.11/architecture/additional_concepts/authorization.html#applying-custom-roles-and-permissions Section Number and Name: Describe the issue: Suggestions for improvement: - To update custom roles and permissions, it is strongly recommended to use the following command: # oc auth reconcile -f FILE Additional information:
Made changes as described: Updated Applying Custom Roles and Permissions with clarification when adding or updating new custom roles and permissions. This can be reviewed here: https://github.com/openshift/openshift-docs/pull/21202. Moving this bug to ON_QA.
Verified.
Added a link to an example yaml file for creating cluster roles per peer review feedback. Moving this bug back to ON_QA for a second look.
Verified fix is published and live on docs.openshift.com: https://docs.openshift.com/container-platform/3.11/architecture/additional_concepts/authorization.html#applying-custom-roles-and-permissions
Verified fix is published and live on the Customer Portal: https://access.redhat.com/documentation/en-us/openshift_container_platform/3.11/html/architecture/additional-concepts#roles (4.2.4.2. Applying Custom Roles and Permissions)