Description of problem: Federate a namespace failed. Version-Release number of selected component (if applicable): $ oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.2.0-0.nightly-2019-08-10-002649 True False 164m Error while reconciling 4.2.0-0.nightly-2019-08-10-002649: the update could not be applied kubefedctl version: version.Info{Version:"v4.2.0", GitCommit:"b8ae65cee603cc9c746911debd3dc23b922222d8", GitTreeState:"clean", BuildDate:"2019-08-08T18:18:54Z", GoVersion:"go1.12.6", Compiler:"gc", Platform:"linux/amd64"} KubeFed controller-manager version: version.Info{Version:"v4.2.0", GitCommit:"b8ae65cee603cc9c746911debd3dc23b922222d8", GitTreeState:"clean", BuildDate:"2019-08-08T18:58:34Z", GoVersion:"go1.12.6", Compiler:"gc", Platform:"linux/amd64"} How reproducible: 100% Steps to Reproduce: 1. Installed a cluster scoped kubefedcontroller 2. Joined 2 clusters into the federation 3. Created a namespace $ oc create ns test-namespace 4. Federated namespace $ kubefedctl federate ns test-namespace -e -c --kubefed-namespace=federation-system Actual results: customresourcedefinition.apiextensions.k8s.io/federatednamespaces.types.kubefed.io created federatedtypeconfig.core.kubefed.io/namespaces created in namespace federation-system I0812 16:15:24.549821 6232 federate.go:459] Resource to federate is a namespace. Given namespace will itself be the container for the federated namespace I0812 16:15:24.668155 6232 federate.go:488] Successfully created FederatedNamespace "test-namespace/test-namespace" from Namespace I0812 16:15:24.771175 6232 federate.go:488] Successfully created FederatedSecret "test-namespace/builder-dockercfg-nrrsn" from Secret I0812 16:15:24.874326 6232 federate.go:488] Successfully created FederatedSecret "test-namespace/builder-token-86qb7" from Secret I0812 16:15:24.977652 6232 federate.go:488] Successfully created FederatedSecret "test-namespace/builder-token-sg97j" from Secret I0812 16:15:25.079669 6232 federate.go:488] Successfully created FederatedSecret "test-namespace/default-dockercfg-sd597" from Secret I0812 16:15:25.182751 6232 federate.go:488] Successfully created FederatedSecret "test-namespace/default-token-9mrz5" from Secret I0812 16:15:25.285432 6232 federate.go:488] Successfully created FederatedSecret "test-namespace/default-token-q85b4" from Secret I0812 16:15:25.387480 6232 federate.go:488] Successfully created FederatedSecret "test-namespace/deployer-dockercfg-5cdrb" from Secret I0812 16:15:25.490251 6232 federate.go:488] Successfully created FederatedSecret "test-namespace/deployer-token-g7whc" from Secret I0812 16:15:25.593049 6232 federate.go:488] Successfully created FederatedSecret "test-namespace/deployer-token-ndwts" from Secret customresourcedefinition.apiextensions.k8s.io/federatedserviceaccounts.types.kubefed.io created federatedtypeconfig.core.kubefed.io/serviceaccounts created in namespace federation-system I0812 16:15:35.762676 6232 federate.go:488] Successfully created FederatedServiceAccount "test-namespace/builder" from ServiceAccount I0812 16:15:35.861546 6232 federate.go:488] Successfully created FederatedServiceAccount "test-namespace/default" from ServiceAccount I0812 16:15:35.961164 6232 federate.go:488] Successfully created FederatedServiceAccount "test-namespace/deployer" from ServiceAccount customresourcedefinition.apiextensions.k8s.io/federatedrolebindings.types.kubefed.io created federatedtypeconfig.core.kubefed.io/rolebindings.authorization.openshift.io created in namespace federation-system F0812 16:15:45.724853 6232 federate.go:150] Error: Error creating federated resource "test-namespace/system:deployers": FederatedRoleBinding.types.kubefed.io "system:deployers" is invalid: metadata.name: Invalid value: "system:deployers": a DNS-1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character (e.g. 'example.com', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*') Expected results: Maybe the SAs, Secrets created when creating namespace should not be federated. Additional info:
Although can use the --skip-api-resources "roles,rolebindings,sa,secret" to avoid this issue, thought the user maybe not know the resources created when creating namespace or project, so still open this bug.
The general approach would be to identify system created resources in a reliable way and skip federating them.
Ping, This should be fixed in the latest downstream images.
Failed verificaiton with: kubefedctl version: version.Info{Version:"v4.2.0", GitCommit:"7f002471b9dd8366e1e0f080b46bc79864682f71", GitTreeState:"clean", BuildDate:"2019-08-25T17:43:59Z", GoVersion:"go1.12.8", Compiler:"gc", Platform:"linux/amd64"} KubeFed controller-manager version: version.Info{Version:"v4.2.0", GitCommit:"7f002471b9dd8366e1e0f080b46bc79864682f71", GitTreeState:"clean", BuildDate:"2019-08-25T20:09:07Z", GoVersion:"go1.12.6", Compiler:"gc", Platform:"linux/amd64"} Still have the same issue. F0828 11:28:16.301763 30785 federate.go:150] Error: Error creating federated resource "test-namespace/system:deployers": FederatedRoleBinding.types.kubefed.io "system:deployers" is invalid: metadata.name: Invalid value: "system:deployers": a DNS-1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character (e.g. 'example.com', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*')
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:2922