E.g. [1]: fail [github.com/openshift/origin/test/extended/authorization/rbac/groups_default_rules.go:222]: Dec 18 11:37:31.634: system:authenticated has extra permissions in namespace "": {APIGroups:["servicecatalog.k8s.io"], Resources:["clusterserviceclasses"], Verbs:["list" "watch" "get"]} {APIGroups:["servicecatalog.k8s.io"], Resources:["clusterserviceplans"], Verbs:["list" "watch" "get"]} {NonResourceURLs:["/healthz/ready"], Verbs:["get"]} failed: (11.6s) 2019-12-18T11:37:31 "[Feature:OpenShiftAuthorization] The default cluster RBAC policy should have correct RBAC rules [Suite:openshift/conformance/parallel]" Searching for the extra-permissions string [2], we have almost 200 in the past 24h, showing up in 13% of failed e2e jobs. Seems to be specific to CI and 4.4. [1]: https://prow.svc.ci.openshift.org/view/gcs/origin-ci-test/pr-logs/pull/openshift_installer/2821/pull-ci-openshift-installer-master-e2e-aws/9180 [2]: https://search.svc.ci.openshift.org/chart?search=fail.*system:authenticated%20has%20extra%20permissions%20in%20namespace&search=failed:.*The%20default%20cluster%20RBAC%20policy%20should%20have%20correct%20RBAC%20rules
Actually, moving to the Service Catalog folks, since those look like their permissions leaking in.
Here we are in a release informer [1]. And [2], which was for [3]. 4.4 CI build before [3] passed, which might give a set of reversion candidates, but none of the linked pull requests are jumping out at me as obvious suspects. [1]: https://prow.svc.ci.openshift.org/view/gcs/origin-ci-test/logs/release-openshift-origin-installer-e2e-gcp-4.4/369 [2]: https://prow.svc.ci.openshift.org/view/gcs/origin-ci-test/logs/release-openshift-origin-installer-e2e-gcp-4.4/365 [3]: https://openshift-release.svc.ci.openshift.org/releasestream/4.4.0-0.ci/release/4.4.0-0.ci-2019-12-18-041739
Restricting the search to AWS PR presubmits, this shows up in 50% of our failures and we only have a 28% pass rate [1]. Raising to urgent. [1]: https://search.svc.ci.openshift.org/chart?name=pull-ci.*e2e-aws$&search=system:authenticated%20has%20extra%20permissions%20in%20namespace
*** This bug has been marked as a duplicate of bug 1784334 ***