Description of problem: The role binding is restricted, should not added to other group by default. Version-Release number of selected component (if applicable): Kubernetes Master Version v1.13.4+81fc896 How reproducible: always Steps to Reproduce: 1.Log in to the https://console-openshift-console.apps.stg-2.online-starter.openshift.com 2.Add a view role to another group,e.g: $ oc policy add-role-to-group view groupA Actual results: Role added successfully Expected results: The role "view" could not be granted. Reason: rolebindings "view" is forbidden: rolebindings to Group "groupA" are not allowed in project "xxx" Additional info: Same issue not only on Group, also found on ServiceAccount and User
After looking at 1684344 for a bit, we determined we could workaround this issue in online environments using a validating webhook. It has been installed in stg-2 and added to source control for subsequent clusters. Please take another look. At present, the following error should result: $ oc policy add-role-to-group view groupA Error from server: admission webhook "validate.rolebinding.update" denied the request: Prohibited rolebinding
Thanks Justin, Yes, At present, the following error result: $ oc policy add-role-to-group view groupA Error from server: admission webhook "validate.rolebinding.update" denied the request: Prohibited rolebinding ServiceAccount and User are the same.