Description of problem: rolebindingrestrction for 4.x not working well Version-Release number of selected component (if applicable): 4.0.0-0.nightly-2019-02-26-125216 How reproducible: always Steps to Reproduce: 1.config kubeapiserver cluster with: spec: unsupportedConfigOverrides: admissionConfig: pluginConfig: openshift.io/RestrictSubjectBindings: configuration: apiversion: v1 kind: DefaultAdmissionConfig 2.create a user restriction rolebindingrestrion for ns pm1(user pm1 is owner): apiVersion: v1 kind: RoleBindingRestriction metadata: name: match-users spec: userrestriction: users: [""] 3.try to add view role to other user by user pm1 oc policy add-role-to-user view pm3 Actual results: Add view role to other user successfully Expected results: could not add role to other users, and should should report error like: rror from server (Forbidden): rolebindings.rbac.authorization.k8s.io "view" is forbidden: rolebindings to User "pm3" are not allowed in project "pm1" Additional info:
https://github.com/openshift/origin/pull/22254
Verified. $ oc get clusterversion NAME VERSION version 4.0.0-0.nightly-2019-03-13-233958
Since the changes reverted, https://github.com/openshift/origin/pull/22416 , re-open the issue.
in progress: https://github.com/openshift/origin/pull/22534, https://github.com/openshift/cluster-config-operator/pull/32
*** Bug 1703789 has been marked as a duplicate of this bug. ***
Series of PRS landing today/tomorrow in origin & cluster-config-operator to resolve, convert RBRs to CRD
PRs merged, RBRs are now CRDs. The issue originally reported in this BZ still exists, however. 1) set up htpasswd, add non-admin user testuser 2) login as testuser, create-project test 3) login as system:admin 4) create rbr: apiVersion: authorization.openshift.io/v1 kind: RoleBindingRestriction metadata: name: match-users spec: userrestriction: users: [""] 5) login as user testuser 6) oc policy add-role-to-user view user3 Actual results: Add view role to user3 successfully Expected results: could not add role to other users, and should should report error like: rror from server (Forbidden): rolebindings.rbac.authorization.k8s.io "view" is forbidden: rolebindings to User "user3" are not allowed in project "test" Will be looking into this Monday.
tried again, same cluster, a day later, got the correct and expected: $ oc policy add-role-to-user view testuser2 Error from server (Forbidden): rolebindings.rbac.authorization.k8s.io "view-0" is forbidden: rolebindings to User "testuser2" are not allowed in project "test" I'll keep testing in fresh clusters.
I have tried the userrestriction, it work as expected.
Verified on 4.1.0-0.nightly-2019-05-06-223020
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:0758