Description of problem: Rolebinding patch is not working for "authorization.openshift.io/v1" apiservice # cat > rolebinding.yaml << EOL apiVersion: authorization.openshift.io/v1 kind: RoleBinding metadata: name: test-rolebinding roleRef: kind: Role name: view apiGroup: rbac.authorization.openshift.io subjects: - kind: User name: user1 apiGroup: rbac.authorization.openshift.io EOL # oc apply -f rolebinding.yaml rolebinding.authorization.openshift.io/test-rolebinding created # oc get rolebinding test-rolebinding NAME ROLE USERS GROUPS SERVICE ACCOUNTS SUBJECTS test-rolebinding /view user1 Edited yaml file and added below line - kind: User name: user2 apiGroup: rbac.authorization.openshift.io # oc apply -f rolebinding.yaml rolebinding.authorization.openshift.io/test-rolebinding configured # oc get rolebinding test-rolebinding NAME ROLE USERS GROUPS SERVICE ACCOUNTS SUBJECTS test-rolebinding /view user1 But when I use rbac.authorization.k8s.io/v1 apiversion it's working as expected.
The schema for rbac.authorization.k8s.io/v1 and authorization.openshift.io/v1 are distinct. You cannot apply patches from one to the other. The two commands below refer to *same* resource: $ oc get rolebinding.rbac admin -o yaml apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: creationTimestamp: "2019-08-14T20:06:28Z" name: admin namespace: foobar resourceVersion: "96391" selfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/foobar/rolebindings/admin uid: 002390fd-becf-11e9-94ee-02b450c5a768 roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: admin subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: system:admin $ oc get rolebinding.auth admin -o yaml apiVersion: authorization.openshift.io/v1 groupNames: null kind: RoleBinding metadata: creationTimestamp: "2019-08-14T20:06:28Z" name: admin namespace: foobar resourceVersion: "96391" selfLink: /apis/authorization.openshift.io/v1/namespaces/foobar/rolebindings/admin uid: 002390fd-becf-11e9-94ee-02b450c5a768 roleRef: name: admin subjects: - kind: SystemUser name: system:admin userNames: - system:admin
I think this shouldn't have been closed. Note that in both of the above yaml `authorization.openshift.io/v1` is used as the apiVersion. It's only stated that the same `oc apply` command works as expected when you change it to `rbac.authorization.k8s.io/v1` Please verify and reopen
You should really use authorization.k8s.io/v1 instead of its openshift version. I've worked on things with more priority, I may be able to look into this the next sprint.
I've looked into this. Since you're using the openshift (legacy) authorization group, you need to specify `userNames` instead of subjects, subjects will be ignored. This is stated in the `oc explain` of the API: $ oc explain rolebinding --version=authorization.openshift.io <snip> userNames <[]string> UserNames holds all the usernames directly bound to the role. This field should only be specified when supporting legacy clients and servers. See Subjects for further details. subjects <[]Object> -required- Subjects hold object references to authorize with this rule. This field is ignored if UserNames or GroupNames are specified to support legacy clients and servers. Thus newer clients that do not need to support backwards compatibility should send only fully qualified Subjects and should omit the UserNames and GroupNames fields. Clients that need to support backwards compatibility can use this field to build the UserNames and GroupNames.