1767964 – oc cert deny says "approved" on the confirmation message

Bug 1767964 - oc cert deny says "approved" on the confirmation message

Summary: oc cert deny says "approved" on the confirmation message

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	oc
Sub Component:
Version:	4.2.0
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	---
Target Release:	4.3.0
Assignee:	Maciej Szulik
QA Contact:	zhou ying
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-11-01 18:22 UTC by Stephen Cuppett
Modified:	2020-01-23 11:10 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-01-23 11:10:26 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	openshift oc pull 144	0	None	None	None	2019-11-05 11:17:13 UTC
Red Hat Product Errata	RHBA-2020:0062	0	None	None	None	2020-01-23 11:10:40 UTC

Description Stephen Cuppett 2019-11-01 18:22:54 UTC

Description of problem:

Running a oc cert deny yields a ‘appoved’ msg on the command line (this doesn’t make sense) but shows denied on the cert listing


[root@ocp4-001 191101-cnv]# bash 191101-useful03-cert-deep-inspection |grep 006

csr-2l88b |        Subject: O=system:nodes, CN=system:node:ocp4-006

csr-7zcxk |        Subject: O=system:nodes, CN=system:node:ocp4-006

csr-cqg8d |        Subject: O=system:nodes, CN=system:node:ocp4-006

csr-fcr79 |        Subject: O=system:nodes, CN=system:node:ocp4-006

csr-gkknt |        Subject: O=system:nodes, CN=system:node:ocp4-006

csr-hc7pg |        Subject: O=system:nodes, CN=system:node:ocp4-006

csr-l9nqb |        Subject: O=system:nodes, CN=system:node:ocp4-006
 

[root@ocp4-001 191101-cnv]# oc adm certificate  deny csr-2l88b

certificatesigningrequest.certificates.k8s.io/csr-2l88b approved


Version-Release number of selected component (if applicable):

4.2.0 GA

How reproducible:

Always


Steps to Reproduce:
1. Run oc deny for an outstanding CSR
2. See the "approved" message from above.

Actual results:

It indicates it is approved

Expected results:

It should say denied


Additional info:

N/A

Comment 2 Maciej Szulik 2019-11-05 11:17:13 UTC

Should be solved when https://github.com/openshift/oc/pull/144 merges

Comment 4 zhou ying 2019-11-08 06:54:09 UTC

confirmed with latest oc client, the issue has fixed:
[root@dhcp-140-138 ~]# oc version
Client Version: v4.3.0
Server Version: 4.3.0-0.nightly-2019-11-07-172437
Kubernetes Version: v1.16.2


[root@dhcp-140-138 ~]#  oc adm certificate  deny csr-test-fed8d184
certificatesigningrequest.certificates.k8s.io/csr-test-fed8d184 denied
[root@dhcp-140-138 ~]# oc get csr csr-test-fed8d184
NAME                AGE   REQUESTOR      CONDITION
csr-test-fed8d184   59s   system:admin   Denied
[root@dhcp-140-138 ~]# oc describe csr csr-test-fed8d184
Name:               csr-test-fed8d184
Labels:             <none>
Annotations:        <none>
CreationTimestamp:  Fri, 08 Nov 2019 14:51:27 +0800
Requesting User:    system:admin
Status:             Denied
Subject:
  Common Name:    system:node:qe-jhou-ckg5s-worker-68rcv
  Serial Number:  
  Organization:   system:nodes
Subject Alternative Names:
         DNS Names:     qe-jhou-ckg5s-worker-68rcv
         IP Addresses:  192.168.0.23
Events:  <none>

Comment 6 errata-xmlrpc 2020-01-23 11:10:26 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:0062

Note You need to log in before you can comment on or make changes to this bug.