Description of problem: $ oc adm policy remove-cluster-role-from-group self-provisioner system:authenticated:oauth Users became unable to create projects, which is expected. However we did a master-restart api api Users are able to create project. Version-Release number of selected component (if applicable): v3.11.104 Kubernetes v1.110+d4cacc0 How reproducible: Everytime. After masters restart, users are able to create project with CLI as well as from GUI. $ oc describe clusterrolebinding.rbac self-provisioner is showing the correct annotations: rbac.authorization.kubernetes.io/autoupdate=false and empty subjects. Steps to Reproduce: 1. remove clusterrole from group 2. annotate clusterrole 3. users unable to create project 4. restart master api 5. users are able to create project Actual results: users are able to create project after restart of master api Expected results: users should still be unable to create project after restart of master api Additional info: after removing clusterrole, we did a $oc adm create-bootstrap-policy-file --filename=policy.json. The clusterrolebinding is not updated in policy.json even though $oc describe clusterrolebinding.rbac is showing correct configuration. I did a oc get clusterrolebindings | grep provisioner and there are 2 system groups, the self-provisioner and self-provisoners. I have removed subject from both but the annotations (rbac.authorization.kubernetes.io/autoupdate=false) is not taken. For self-provisioner, i used rbac.authorization.kubernetes.io/autoupdate=false and restarting master does not forbid users create project. For self-provisioners, rbac.authorization.kubernetes.io/autoupdate=false does not stay after restart but updating openshift.io/reconcile-protect: false lets the change takes effect and users are not able to create new project. Please verify the confusion for both clusterroles and the correct annotations to be added.
Hi, I've tested and checked. These are the steps to disable self-provisioning: 1. $ oc get clusterrolebindings | grep prov 2. $ oc patch clusterrolebinding.rbac self-provisioners -p '{"subjects": null}' 3. $ oc patch clusterrolebinding.rbac self-provisioner -p '{"subjects": null}' 4. $ oc get clusterrolebindings | grep prov (system:authenticated:oauth should not be there) 5. $ oc edit clusterrolebindings self-provisioner ( edit annotation "rbac.authorization.kubernetes.io/autoupdate": "false") 6. $ oc edit clusterrolebindings self-provisioners ( edit annotation "openshift.io/reconcile-protect: "true") 7. restart master services and the config stays. With reference to our documentation, https://docs.openshift.com/container-platform/3.11/admin_guide/managing_projects.html#disabling-self-provisioning annotation "openshift.io/reconcile-protect: "true" is not mentioned. May I check if the steps are correct?
case was closed