Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1729385

Summary: Uninstalling operator with csv contains the "clusterPermissions" field, related clusterrole, clusterrolebinding and sa can not be deleted
Product: OpenShift Container Platform Reporter: Cuiping HUO <chuo>
Component: OLMAssignee: Evan Cordell <ecordell>
OLM sub component: OLM QA Contact: Cuiping HUO <chuo>
Status: CLOSED WONTFIX Docs Contact:
Severity: medium    
Priority: high CC: bandrade, chezhang, chuo, dyan, ecordell, jfan, jpeeler, scolange, zitang
Version: 4.1.zKeywords: Regression
Target Milestone: ---   
Target Release: 4.1.z   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1743345 (view as bug list) Environment:
Last Closed: 2019-08-27 19:05:03 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1743345    
Bug Blocks:    

Description Cuiping HUO 2019-07-12 07:34:23 UTC 
Description of problem:
Uninstalling operator with csv contains the "clusterPermissions" field, related clusterrole,clusterrolebinding and sa can not be deleted

Version-Release number of selected component (if applicable):
oc version:4.1.0-0.nightly-2019-07-10-210957
OLM version: 0.9.0
commit.url=https://github.com/operator-framework/operator-lifecycle-manager/commit/b45dae333aa3d6e4baa8fb8625eac5d7700c6525


How reproducible:
Always

Steps to Reproduce:
1.install etcd operator with "Update Channel":"clusterwide-alpha" by web console
2.uninstall etcd operator by web console


Actual results:
1.ClusterRole, ClusterRoleBinding, SA created 
2.ClusterRole, ClusterRoleBinding, SA are not deleted

Expected results:
2.ClusterRole, ClusterRoleBinding, SA should all be deleted

Additional info:
$ oc get sub -n openshift-operators
NAME   PACKAGE   SOURCE                                    CHANNEL
etcd   etcd      installed-community-openshift-operators   clusterwide-alpha
$ oc get clusterrole | grep etcd
etcdbackups.etcd.database.coreos.com-v1beta2-admin                     46m
etcdbackups.etcd.database.coreos.com-v1beta2-crdview                   46m
etcdbackups.etcd.database.coreos.com-v1beta2-edit                      46m
etcdbackups.etcd.database.coreos.com-v1beta2-view                      46m
etcdclusters.etcd.database.coreos.com-v1beta2-admin                    46m
etcdclusters.etcd.database.coreos.com-v1beta2-crdview                  46m
etcdclusters.etcd.database.coreos.com-v1beta2-edit                     46m
etcdclusters.etcd.database.coreos.com-v1beta2-view                     46m
etcdoperator.v0.9.4-clusterwide-9rmpt                                  47m
etcdrestores.etcd.database.coreos.com-v1beta2-admin                    46m
etcdrestores.etcd.database.coreos.com-v1beta2-crdview                  46m
etcdrestores.etcd.database.coreos.com-v1beta2-edit                     46m
etcdrestores.etcd.database.coreos.com-v1beta2-view                     46m
$ oc get clusterrolebinding | grep etcd
etcdoperator.v0.9.4-clusterwide-9rmpt-etcd-operator-56b6h                         47m
$ oc get sa -n openshift-operator
etcd-operator   2         48m

delete etcd operator
$ oc get sub -n openshift-operators
No resources found.
$ oc get clusterrole | grep etcd
etcdbackups.etcd.database.coreos.com-v1beta2-admin                     50m
etcdbackups.etcd.database.coreos.com-v1beta2-crdview                   50m
etcdbackups.etcd.database.coreos.com-v1beta2-edit                      50m
etcdbackups.etcd.database.coreos.com-v1beta2-view                      50m
etcdclusters.etcd.database.coreos.com-v1beta2-admin                    50m
etcdclusters.etcd.database.coreos.com-v1beta2-crdview                  50m
etcdclusters.etcd.database.coreos.com-v1beta2-edit                     50m
etcdclusters.etcd.database.coreos.com-v1beta2-view                     50m
etcdoperator.v0.9.4-clusterwide-9rmpt                                  50m
etcdrestores.etcd.database.coreos.com-v1beta2-admin                    50m
etcdrestores.etcd.database.coreos.com-v1beta2-crdview                  50m
etcdrestores.etcd.database.coreos.com-v1beta2-edit                     50m
etcdrestores.etcd.database.coreos.com-v1beta2-view                     50m
$ oc get clusterrolebinding | grep etcd
etcdoperator.v0.9.4-clusterwide-9rmpt-etcd-operator-56b6h                         50m
$ oc get sa -n openshift-operators
NAME            SECRETS   AG
etcd-operator   2         51m
$ oc get crd|grep etcd
etcdbackups.etcd.database.coreos.com                        2019-07-12T02:25:40Z
etcdclusters.etcd.database.coreos.com                       2019-07-12T02:25:40Z
etcdrestores.etcd.database.coreos.com                       2019-07-12T02:25:40Z
Comment 1 Cuiping HUO 2019-07-15 03:35:25 UTC 
ClusterRole, ClusterRoleBinding, SA can be deleted by manually through `oc delete` commands.
Comment 3 Evan Cordell 2019-08-06 14:13:45 UTC 
There are a couple of things here:

1. Cluster scoped objects cannot have ownerreferences, so we can't rely on the mechanisms (kube GC) that we do for other resources.
2. ServiceAccounts do get GC'd, just not clusterroles or clusterrolebindings.

In my opinion, #2 lowers the severity. We will have a PR up to fix this soon.
Comment 4 Evan Cordell 2019-08-06 14:29:15 UTC 
https://github.com/operator-framework/operator-lifecycle-manager/pull/970
Comment 5 Jeff Peeler 2019-08-27 19:05:03 UTC 
I looked into doing this and the queueing code has changed significantly in a way that pulling this backport in would require also pulling in a bunch of new code. Since this is not a critical bug, opting to just leave the code as is.