Description of problem: Unable remove cluster role self-provisioners from system:authenticated:oauth group Version-Release number of selected component (if applicable): 4.0.0-0.nightly-2019-01-30-174704 How reproducible: always Steps to Reproduce: 1.As the cluster admin run cmd `oc adm policy remove-cluster-role-from-group self-provisioners system:authenticated:oauth` 2. 3. Actual results: error: unable to locate RoleBinding for ClusterRole "self-provisioners" Expected results: Could remove cluster role self-provisioners from system:authenticated:oauth group Additional info: $ oc adm policy remove-cluster-role-from-group self-provisioners system:authenticated:oauth --loglevel=8 I0201 16:07:34.583528 23657 loader.go:359] Config loaded from file 20190131/auth/kubeconfig I0201 16:07:34.584167 23657 round_trippers.go:383] GET https://***cluster.openshift.com:6443/apis/rbac.authorization.k8s.io/v1/clusterrolebindings I0201 16:07:34.584178 23657 round_trippers.go:390] Request Headers: I0201 16:07:34.584183 23657 round_trippers.go:393] Accept: application/json, */* I0201 16:07:34.584188 23657 round_trippers.go:393] User-Agent: oc/v1.11.0+42ba6e91ef (linux/amd64) kubernetes/42ba6e9 I0201 16:07:35.636184 23657 round_trippers.go:408] Response Status: 200 OK in 1051 milliseconds I0201 16:07:35.636303 23657 round_trippers.go:411] Response Headers: I0201 16:07:35.636328 23657 round_trippers.go:414] Date: Fri, 01 Feb 2019 08:07:35 GMT I0201 16:07:35.636358 23657 round_trippers.go:414] Audit-Id: 002b6a51-b395-4497-8fe7-bfc6a515302c I0201 16:07:35.636377 23657 round_trippers.go:414] Cache-Control: no-store I0201 16:07:35.636395 23657 round_trippers.go:414] Content-Type: application/json I0201 16:07:36.401625 23657 request.go:897] Response Body: {"kind":"ClusterRoleBindingList","apiVersion":"rbac.authorization.k8s.io/v1","metadata":{"selfLink":"/apis/rbac.authorization.k8s.io/v1/clusterrolebindings","resourceVersion":"1073035"},"items":[{"metadata":{"name":"alertmanager-main","selfLink":"/apis/rbac.authorization.k8s.io/v1/clusterrolebindings/alertmanager-main","uid":"2d6a5919-2528-11e9-a627-061ed6739886","resourceVersion":"11614","creationTimestamp":"2019-01-31T07:16:50Z"},"subjects":[{"kind":"ServiceAccount","name":"alertmanager-main","namespace":"openshift-monitoring"}],"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"alertmanager-main"}},{"metadata":{"name":"basic-users","selfLink":"/apis/rbac.authorization.k8s.io/v1/clusterrolebindings/basic-users","uid":"68ad5525-2527-11e9-abad-061ed6739886","resourceVersion":"4944","creationTimestamp":"2019-01-31T07:11:20Z","annotations":{"rbac.authorization.kubernetes.io/autoupdate":"true"}},"subjects":[{"kind":"Group","apiGroup":"rbac.authorization.k8s.io","name":"system:authenti [truncated 89836 chars] F0201 16:07:36.407348 23657 helpers.go:119] error: unable to locate RoleBinding for ClusterRole "self-provisioners"
It is the clusterrolebinding which is called self-provisioners, not the clusterrole. The clusterrole is just "self-provisioner". However, the message is wrong, it should say: 'error: unable to locate ClusterRoleBinding for ClusterRole "self-provisioners"' instead of just 'error: unable to locate RoleBinding for ClusterRole "self-provisioners"' Moving priority to low.