1784822 – e2e failure: system:authenticated has extra permissions in namespace

Bug 1784822 - e2e failure: system:authenticated has extra permissions in namespace

Summary: e2e failure: system:authenticated has extra permissions in namespace

Keywords:
Status:	CLOSED DUPLICATE of bug 1784334
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Service Catalog
Sub Component:
Version:	4.4
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	urgent
Target Milestone:	---
Target Release:	4.4.0
Assignee:	Jesus M. Rodriguez
QA Contact:	Fan Jia
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-12-18 12:08 UTC by W. Trevor King
Modified:	2019-12-18 13:56 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-12-18 13:56:57 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description W. Trevor King 2019-12-18 12:08:54 UTC

E.g. [1]:

fail [github.com/openshift/origin/test/extended/authorization/rbac/groups_default_rules.go:222]: Dec 18 11:37:31.634: system:authenticated has extra permissions in namespace "":
{APIGroups:["servicecatalog.k8s.io"], Resources:["clusterserviceclasses"], Verbs:["list" "watch" "get"]}
{APIGroups:["servicecatalog.k8s.io"], Resources:["clusterserviceplans"], Verbs:["list" "watch" "get"]}
{NonResourceURLs:["/healthz/ready"], Verbs:["get"]}

failed: (11.6s) 2019-12-18T11:37:31 "[Feature:OpenShiftAuthorization] The default cluster RBAC policy should have correct RBAC rules [Suite:openshift/conformance/parallel]"

Searching for the extra-permissions string [2], we have almost 200 in the past 24h, showing up in 13% of failed e2e jobs.  Seems to be specific to CI and 4.4.

[1]: https://prow.svc.ci.openshift.org/view/gcs/origin-ci-test/pr-logs/pull/openshift_installer/2821/pull-ci-openshift-installer-master-e2e-aws/9180
[2]: https://search.svc.ci.openshift.org/chart?search=fail.*system:authenticated%20has%20extra%20permissions%20in%20namespace&search=failed:.*The%20default%20cluster%20RBAC%20policy%20should%20have%20correct%20RBAC%20rules

Comment 1 W. Trevor King 2019-12-18 12:11:12 UTC

Actually, moving to the Service Catalog folks, since those look like their permissions leaking in.

Comment 2 W. Trevor King 2019-12-18 12:24:05 UTC

Here we are in a release informer [1].  And [2], which was for [3].  4.4 CI build before [3] passed, which might give a set of reversion candidates, but none of the linked pull requests are jumping out at me as obvious suspects.


[1]: https://prow.svc.ci.openshift.org/view/gcs/origin-ci-test/logs/release-openshift-origin-installer-e2e-gcp-4.4/369
[2]: https://prow.svc.ci.openshift.org/view/gcs/origin-ci-test/logs/release-openshift-origin-installer-e2e-gcp-4.4/365
[3]: https://openshift-release.svc.ci.openshift.org/releasestream/4.4.0-0.ci/release/4.4.0-0.ci-2019-12-18-041739

Comment 3 W. Trevor King 2019-12-18 13:47:46 UTC

Restricting the search to AWS PR presubmits, this shows up in 50% of our failures and we only have a 28% pass rate [1].  Raising to urgent.

[1]: https://search.svc.ci.openshift.org/chart?name=pull-ci.*e2e-aws$&search=system:authenticated%20has%20extra%20permissions%20in%20namespace

Comment 4 W. Trevor King 2019-12-18 13:56:57 UTC


*** This bug has been marked as a duplicate of bug 1784334 ***

Note You need to log in before you can comment on or make changes to this bug.