Bug 1740596
| Summary: | Rolebinding patch is not working for "authorization.openshift.io/v1" apiservice | |||
|---|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Abhishek <aabhishe> | |
| Component: | openshift-apiserver | Assignee: | Standa Laznicka <slaznick> | |
| Status: | CLOSED NOTABUG | QA Contact: | Xingxing Xia <xxia> | |
| Severity: | low | Docs Contact: | ||
| Priority: | low | |||
| Version: | 3.11.0 | CC: | aos-bugs, joerg.woehrle, ksathe, mfojtik, pkhaire | |
| Target Milestone: | --- | Keywords: | Reopened | |
| Target Release: | 3.11.z | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | ||
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1741169 (view as bug list) | Environment: | ||
| Last Closed: | 2020-06-08 12:38:34 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1741169 | |||
|
Description
Abhishek
2019-08-13 10:35:01 UTC
The schema for rbac.authorization.k8s.io/v1 and authorization.openshift.io/v1 are distinct. You cannot apply patches from one to the other. The two commands below refer to *same* resource: $ oc get rolebinding.rbac admin -o yaml apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: creationTimestamp: "2019-08-14T20:06:28Z" name: admin namespace: foobar resourceVersion: "96391" selfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/foobar/rolebindings/admin uid: 002390fd-becf-11e9-94ee-02b450c5a768 roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: admin subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: system:admin $ oc get rolebinding.auth admin -o yaml apiVersion: authorization.openshift.io/v1 groupNames: null kind: RoleBinding metadata: creationTimestamp: "2019-08-14T20:06:28Z" name: admin namespace: foobar resourceVersion: "96391" selfLink: /apis/authorization.openshift.io/v1/namespaces/foobar/rolebindings/admin uid: 002390fd-becf-11e9-94ee-02b450c5a768 roleRef: name: admin subjects: - kind: SystemUser name: system:admin userNames: - system:admin I think this shouldn't have been closed. Note that in both of the above yaml `authorization.openshift.io/v1` is used as the apiVersion. It's only stated that the same `oc apply` command works as expected when you change it to `rbac.authorization.k8s.io/v1` Please verify and reopen You should really use authorization.k8s.io/v1 instead of its openshift version. I've worked on things with more priority, I may be able to look into this the next sprint. I've looked into this. Since you're using the openshift (legacy) authorization group, you need to specify `userNames` instead of subjects, subjects will be ignored. This is stated in the `oc explain` of the API:
$ oc explain rolebinding --version=authorization.openshift.io
<snip>
userNames <[]string>
UserNames holds all the usernames directly bound to the role. This field
should only be specified when supporting legacy clients and servers. See
Subjects for further details.
subjects <[]Object> -required-
Subjects hold object references to authorize with this rule. This field is
ignored if UserNames or GroupNames are specified to support legacy clients
and servers. Thus newer clients that do not need to support backwards
compatibility should send only fully qualified Subjects and should omit the
UserNames and GroupNames fields. Clients that need to support backwards
compatibility can use this field to build the UserNames and GroupNames.
|