Bug 1723851 - Operators requesting cluster-scoped permission can trigger kube GC bug
Summary: Operators requesting cluster-scoped permission can trigger kube GC bug
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: OLM
Version: 4.1.0
Hardware: All
OS: All
high
high
Target Milestone: ---
: 4.1.z
Assignee: Evan Cordell
QA Contact: Jian Zhang
URL:
Whiteboard: 4.1.5
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-06-25 14:23 UTC by Evan Cordell
Modified: 2019-08-28 19:54 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-08-28 19:54:45 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1691546 1 None None None 2021-02-24 14:44:14 UTC
Red Hat Product Errata RHBA-2019:2547 0 None None None 2019-08-28 19:54:54 UTC

Comment 5 Eric Paris 2019-07-03 15:44:39 UTC 
https://github.com/operator-framework/operator-lifecycle-manager/pull/915
Comment 7 Jian Zhang 2019-08-20 06:18:27 UTC 
LGTM, steps as below:
Cluster version is 4.1.0-0.nightly-2019-08-19-173358
OLM version:                
io.openshift.build.commit.url=https://github.com/operator-framework/operator-lifecycle-manager/commit/e782ca5034ae1fc706145ffd4634ebdffb58b2ba
io.openshift.build.source-location=https://github.com/operator-framework/operator-lifecycle-manager

1) Install an operator which contains `clusterPermissions` field. For example, AMQ-Stream.

mac:~ jianzhang$ oc get sub -n openshift-operators
NAME          PACKAGE       SOURCE                                 CHANNEL
amq-streams   amq-streams   installed-redhat-openshift-operators   stable
mac:~ jianzhang$ oc get csv -n openshift-operators
NAME                DISPLAY       VERSION   REPLACES            PHASE
amqstreams.v1.2.0   AMQ Streams   1.2.0     amqstreams.v1.1.0   Succeeded

2) Check its `Clucsterrole/CClusterrolebinding` objects if contains the `OwnerReferences` field.
mac:~ jianzhang$ oc get clusterrole amqstreams.v1.2.0-65zzh -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  creationTimestamp: "2019-08-20T06:09:06Z"
  labels:
    olm.owner: amqstreams.v1.2.0
    olm.owner.kind: ClusterServiceVersion
    olm.owner.namespace: openshift-operators
  name: amqstreams.v1.2.0-65zzh
  resourceVersion: "60969"
  selfLink: /apis/rbac.authorization.k8s.io/v1/clusterroles/amqstreams.v1.2.0-65zzh
  uid: 04665d3a-c311-11e9-9ac3-02244971cb6e
rules:
...

mac:~ jianzhang$ oc get clusterrolebinding amqstreams.v1.2.0-65zzh-strimzi-cluster-operator-95n7h -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  creationTimestamp: "2019-08-20T06:09:06Z"
  labels:
    olm.owner: amqstreams.v1.2.0
    olm.owner.kind: ClusterServiceVersion
    olm.owner.namespace: openshift-operators
  name: amqstreams.v1.2.0-65zzh-strimzi-cluster-operator-95n7h
  resourceVersion: "60972"
  selfLink: /apis/rbac.authorization.k8s.io/v1/clusterrolebindings/amqstreams.v1.2.0-65zzh-strimzi-cluster-operator-95n7h
  uid: 04695dae-c311-11e9-9ac3-02244971cb6e
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: amqstreams.v1.2.0-65zzh
subjects:
- kind: ServiceAccount
  name: strimzi-cluster-operator
  namespace: openshift-operators

No `OwnerReferences` field anymore, LGTM, verify it.
Comment 9 errata-xmlrpc 2019-08-28 19:54:45 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2547
Note You need to log in before you can comment on or make changes to this bug.