Bug 1733883 - Users able to create project even though self-provisioner clusterrole is removed from group system:authenticated:oauth
Summary: Users able to create project even though self-provisioner clusterrole is remo...
Keywords:
Status: NEW
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Auth
Version: 3.11.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
: 3.11.z
Assignee: Standa Laznicka
QA Contact: Wei Sun
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-07-29 06:20 UTC by pk
Modified: 2020-01-08 08:04 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description pk 2019-07-29 06:20:56 UTC 
Description of problem:
$ oc adm policy remove-cluster-role-from-group self-provisioner system:authenticated:oauth

Users became unable to create projects, which is expected.

However we did a master-restart api api

Users are able to create project.

Version-Release number of selected component (if applicable):
v3.11.104
Kubernetes v1.110+d4cacc0

How reproducible:
Everytime. After masters restart, users are able to create project with CLI as well as from GUI. $ oc describe clusterrolebinding.rbac self-provisioner is showing the correct annotations: rbac.authorization.kubernetes.io/autoupdate=false and empty subjects. 

Steps to Reproduce:
1. remove clusterrole from group
2. annotate clusterrole
3. users unable to create project
4. restart master api
5. users are able to create project

Actual results:
users are able to create project after restart of master api

Expected results:
users should still be unable to create project after restart of master api

Additional info:
after removing clusterrole, we did a $oc adm create-bootstrap-policy-file --filename=policy.json. The clusterrolebinding is not updated in policy.json even though $oc describe clusterrolebinding.rbac is showing correct configuration.

I did a oc get clusterrolebindings | grep provisioner and there are 2 system groups, the self-provisioner and self-provisoners. I have removed subject from both but the annotations (rbac.authorization.kubernetes.io/autoupdate=false) is not taken. 

For self-provisioner, i used rbac.authorization.kubernetes.io/autoupdate=false and restarting master does not forbid users create project.

For self-provisioners, rbac.authorization.kubernetes.io/autoupdate=false does not stay after restart but updating openshift.io/reconcile-protect: false lets the change takes effect and users are not able to create new project.

Please verify the confusion for both clusterroles and the correct annotations to be added.
Comment 2 pk 2019-07-30 02:34:42 UTC 
Hi,

I've tested and checked. These are the steps to disable self-provisioning:

1. $ oc get clusterrolebindings | grep prov
2. $ oc patch clusterrolebinding.rbac self-provisioners -p '{"subjects": null}'
3. $ oc patch clusterrolebinding.rbac self-provisioner -p '{"subjects": null}'
4. $ oc get clusterrolebindings | grep prov (system:authenticated:oauth should not be there)
5. $ oc edit clusterrolebindings self-provisioner ( edit annotation "rbac.authorization.kubernetes.io/autoupdate": "false")
6. $ oc edit clusterrolebindings self-provisioners ( edit annotation "openshift.io/reconcile-protect: "true")
7. restart master services and the config stays.

With reference to our documentation, https://docs.openshift.com/container-platform/3.11/admin_guide/managing_projects.html#disabling-self-provisioning

annotation "openshift.io/reconcile-protect: "true" is not mentioned. May I check if the steps are correct?
Note You need to log in before you can comment on or make changes to this bug.