Bug 1784822 - e2e failure: system:authenticated has extra permissions in namespace
Summary: e2e failure: system:authenticated has extra permissions in namespace
Keywords:
Status: CLOSED DUPLICATE of bug 1784334
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Service Catalog
Version: 4.4
Hardware: Unspecified
OS: Unspecified
unspecified
urgent
Target Milestone: ---
: 4.4.0
Assignee: Jesus M. Rodriguez
QA Contact: Fan Jia
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-12-18 12:08 UTC by W. Trevor King
Modified: 2019-12-18 13:56 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-12-18 13:56:57 UTC
Target Upstream Version:


Attachments (Terms of Use)

Description W. Trevor King 2019-12-18 12:08:54 UTC
E.g. [1]:

fail [github.com/openshift/origin/test/extended/authorization/rbac/groups_default_rules.go:222]: Dec 18 11:37:31.634: system:authenticated has extra permissions in namespace "":
{APIGroups:["servicecatalog.k8s.io"], Resources:["clusterserviceclasses"], Verbs:["list" "watch" "get"]}
{APIGroups:["servicecatalog.k8s.io"], Resources:["clusterserviceplans"], Verbs:["list" "watch" "get"]}
{NonResourceURLs:["/healthz/ready"], Verbs:["get"]}

failed: (11.6s) 2019-12-18T11:37:31 "[Feature:OpenShiftAuthorization] The default cluster RBAC policy should have correct RBAC rules [Suite:openshift/conformance/parallel]"

Searching for the extra-permissions string [2], we have almost 200 in the past 24h, showing up in 13% of failed e2e jobs.  Seems to be specific to CI and 4.4.

[1]: https://prow.svc.ci.openshift.org/view/gcs/origin-ci-test/pr-logs/pull/openshift_installer/2821/pull-ci-openshift-installer-master-e2e-aws/9180
[2]: https://search.svc.ci.openshift.org/chart?search=fail.*system:authenticated%20has%20extra%20permissions%20in%20namespace&search=failed:.*The%20default%20cluster%20RBAC%20policy%20should%20have%20correct%20RBAC%20rules

Comment 1 W. Trevor King 2019-12-18 12:11:12 UTC
Actually, moving to the Service Catalog folks, since those look like their permissions leaking in.

Comment 2 W. Trevor King 2019-12-18 12:24:05 UTC
Here we are in a release informer [1].  And [2], which was for [3].  4.4 CI build before [3] passed, which might give a set of reversion candidates, but none of the linked pull requests are jumping out at me as obvious suspects.


[1]: https://prow.svc.ci.openshift.org/view/gcs/origin-ci-test/logs/release-openshift-origin-installer-e2e-gcp-4.4/369
[2]: https://prow.svc.ci.openshift.org/view/gcs/origin-ci-test/logs/release-openshift-origin-installer-e2e-gcp-4.4/365
[3]: https://openshift-release.svc.ci.openshift.org/releasestream/4.4.0-0.ci/release/4.4.0-0.ci-2019-12-18-041739

Comment 3 W. Trevor King 2019-12-18 13:47:46 UTC
Restricting the search to AWS PR presubmits, this shows up in 50% of our failures and we only have a 28% pass rate [1].  Raising to urgent.

[1]: https://search.svc.ci.openshift.org/chart?name=pull-ci.*e2e-aws$&search=system:authenticated%20has%20extra%20permissions%20in%20namespace

Comment 4 W. Trevor King 2019-12-18 13:56:57 UTC

*** This bug has been marked as a duplicate of bug 1784334 ***


Note You need to log in before you can comment on or make changes to this bug.