Bug 1784334 - The default cluster RBAC policy is flaky
Summary: The default cluster RBAC policy is flaky
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Service Catalog
Version: 4.4
Hardware: Unspecified
OS: Unspecified
urgent
unspecified
Target Milestone: ---
: 4.4.0
Assignee: Jesus M. Rodriguez
QA Contact: Fan Jia
URL:
Whiteboard:
: 1784822 1784837 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-12-17 09:34 UTC by Lukasz Szaszkiewicz
Modified: 2020-05-04 11:20 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-05-04 11:20:19 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift origin pull 24315 0 None closed Bug 1784334: Revert "check ServiceCatalog basic usages in OCP 4.x" 2020-07-07 18:22:09 UTC
Github openshift origin pull 24323 0 None closed Bug 1784334: Revert "check ServiceCatalog basic usages for OCP 4.x" 2020-07-07 18:22:09 UTC
Red Hat Product Errata RHBA-2020:0581 0 None None None 2020-05-04 11:20:43 UTC

Description Lukasz Szaszkiewicz 2019-12-17 09:34:54 UTC 
It seems like "The default cluster RBAC policy should have correct RBAC rules" e2e test is unstable and sometimes fails because extra permissions were found:

[github.com/openshift/origin/test/extended/authorization/rbac/groups_default_rules.go:222]: Dec 16 20:20:11.119: system:authenticated has extra permissions in namespace "":
{APIGroups:["servicecatalog.k8s.io"], Resources:["clusterserviceclasses"], Verbs:["list" "watch" "get"]}
{APIGroups:["servicecatalog.k8s.io"], Resources:["clusterserviceplans"], Verbs:["list" "watch" "get"]}
{NonResourceURLs:["/healthz/ready"], Verbs:["get"]}




The test runs with the other tests and sometimes passes that indicates there must be a test or tests that add these additional permissions.

I think we should chase down the tests that add extra permissions and based on that provide a fix for this test.



See as an example of failure
https://prow.svc.ci.openshift.org/view/gcs/origin-ci-test/pr-logs/pull/24286/pull-ci-openshift-origin-master-e2e-gcp/4667
Comment 1 Stephen Cuppett 2019-12-17 11:54:40 UTC 
Moving to active development branch (4.4) for investigation.
Comment 2 W. Trevor King 2019-12-18 13:56:57 UTC 
*** Bug 1784822 has been marked as a duplicate of this bug. ***
Comment 3 W. Trevor King 2019-12-18 13:57:50 UTC 
bug 1784822 motivates the urgent severity.
Comment 4 W. Trevor King 2019-12-18 14:03:45 UTC 
*** Bug 1784837 has been marked as a duplicate of this bug. ***
Comment 5 W. Trevor King 2019-12-18 22:10:08 UTC 
https://github.com/openshift/origin/pull/24323#event-2895043767 merged an hour ago.  Hopefully we'll see an improvement soon.
Comment 7 Fan Jia 2019-12-23 03:13:52 UTC 
The problem no longer exist since it is removed from 4.4.
Comment 9 errata-xmlrpc 2020-05-04 11:20:19 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:0581
Note You need to log in before you can comment on or make changes to this bug.