Description of problem: Check clusterrole.rbac via "oc describe clusterrole.rbac", several cluster role contains duplicate policy verbs. Version-Release number of selected component (if applicable): 4.4.0-0.nightly-2020-02-23-191320 How reproducible: Always Steps to Reproduce: 1. Check clusterrole.rbac via admin $ oc describe clusterrole.rbac Or for a shorter output, $ oc describe clusterrole.rbac view Actual results: $ oc describe clusterrole.rbac view Name: view Labels: kubernetes.io/bootstrapping=rbac-defaults rbac.authorization.k8s.io/aggregate-to-edit=true Annotations: rbac.authorization.kubernetes.io/autoupdate: true PolicyRule: Resources Non-Resource URLs Resource Names Verbs --------- ----------------- -------------- ----- namespaces [] [] [get get list watch] packagemanifests.packages.operators.coreos.com [] [] [get list watch get list watch] appliedclusterresourcequotas [] [] [get list watch] bindings [] [] [get list watch] buildconfigs/webhooks [] [] [get list watch] buildconfigs [] [] [get list watch] buildlogs [] [] [get list watch] Expected results: No duplicate verbs. Additional info:
the crd seems to belong to openshift-marketplace, moving to OLM who own the resource and its RBAC
This bug hasn't had any activity in the last 30 days. Maybe the problem got resolved, was a duplicate of something else, or became less pressing for some reason - or maybe it's still relevant but just hasn't been looked at yet. As such, we're marking this bug as "LifecycleStale" and decreasing severity from "medium" to "low". If you have further information on the current state of the bug, please update it, otherwise this bug will be automatically closed in 7 days. The information can be, for example, that the problem still occurs, that you still want the feature, that more information is needed, or that the bug is (for whatever reason) no longer relevant.
$ oc version Client Version: 4.4.0-202005111349-2576e48 Server Version: 4.4.3 Kubernetes Version: v1.17.1 $ oc describe clusterrole.rbac view Name: view Labels: kubernetes.io/bootstrapping=rbac-defaults rbac.authorization.k8s.io/aggregate-to-edit=true Annotations: rbac.authorization.kubernetes.io/autoupdate: true PolicyRule: Resources Non-Resource URLs Resource Names Verbs --------- ----------------- -------------- ----- namespaces [] [] [get get list watch] packagemanifests.packages.operators.coreos.com [] [] [get list watch get list watch]
This will be fixed upstream, so I'm moving this to 4.6.
upstream PR here: https://github.com/kubernetes/kubernetes/pull/91264
This bug is actively being worked on. Waiting on upstream review/merge.
I’m adding UpcomingSprint, because the work on this bug is done and approved but it is waiting for upstream CI to accept changes.
I’m adding UpcomingSprint, because the work on this bug is done upstream and should be pulled in with the latest kube bump happening now.
Please verify this is fixed in latest oc. Thanks.
Verified in the payload below and i do not see any duplicate verbs being listed, based on that moving the bug to verified state. [ramakasturinarra@dhcp35-60 cucushift]$ oc version -o yaml clientVersion: buildDate: "2020-08-21T02:37:08Z" compiler: gc gitCommit: ea0d54068621ec0f95973068729f739f3dacfef7 gitTreeState: clean gitVersion: 4.6.0-202008210209.p0-ea0d540 goVersion: go1.14.4 major: "" minor: "" platform: linux/amd64 openshiftVersion: 4.6.0-0.nightly-2020-08-21-011653 serverVersion: buildDate: "2020-08-20T16:46:57Z" compiler: gc gitCommit: 3e083ac29409923906267ebcc5f8e0aa13072c72 gitTreeState: dirty gitVersion: v1.19.0-rc.2+3e083ac-dirty goVersion: go1.14.4 major: "1" minor: 19+ platform: linux/amd64 [ramakasturinarra@dhcp35-60 cucushift]$ oc describe clusterrole.rbac view Name: view Labels: kubernetes.io/bootstrapping=rbac-defaults rbac.authorization.k8s.io/aggregate-to-edit=true Annotations: rbac.authorization.kubernetes.io/autoupdate: true PolicyRule: Resources Non-Resource URLs Resource Names Verbs --------- ----------------- -------------- ----- appliedclusterresourcequotas [] [] [get list watch] bindings [] [] [get list watch] buildconfigs/webhooks [] [] [get list watch] buildconfigs [] [] [get list watch] buildlogs [] [] [get list watch] builds/log [] [] [get list watch] builds [] [] [get list watch] configmaps [] [] [get list watch] deploymentconfigs/log [] [] [get list watch] deploymentconfigs/scale [] [] [get list watch] deploymentconfigs/status [] [] [get list watch] deploymentconfigs [] [] [get list watch] endpoints [] [] [get list watch] events [] [] [get list watch] imagestreamimages [] [] [get list watch] imagestreammappings [] [] [get list watch] imagestreams/status [] [] [get list watch] imagestreams [] [] [get list watch] imagestreamtags [] [] [get list watch] imagetags [] [] [get list watch] limitranges [] [] [get list watch] namespaces/status [] [] [get list watch] namespaces [] [] [get list watch] persistentvolumeclaims/status [] [] [get list watch] persistentvolumeclaims [] [] [get list watch] pods/log [] [] [get list watch] pods/status [] [] [get list watch] pods [] [] [get list watch] processedtemplates [] [] [get list watch] replicationcontrollers/scale [] [] [get list watch] replicationcontrollers/status [] [] [get list watch] replicationcontrollers [] [] [get list watch] resourcequotas/status [] [] [get list watch] resourcequotas [] [] [get list watch] resourcequotausages [] [] [get list watch] routes/status [] [] [get list watch] routes [] [] [get list watch] serviceaccounts [] [] [get list watch] services/status [] [] [get list watch] services [] [] [get list watch] templateconfigs [] [] [get list watch] templateinstances [] [] [get list watch] templates [] [] [get list watch] deploymentconfigs.apps.openshift.io/log [] [] [get list watch] deploymentconfigs.apps.openshift.io/scale [] [] [get list watch] deploymentconfigs.apps.openshift.io/status [] [] [get list watch] deploymentconfigs.apps.openshift.io [] [] [get list watch] controllerrevisions.apps [] [] [get list watch] daemonsets.apps/status [] [] [get list watch] daemonsets.apps [] [] [get list watch] deployments.apps/scale [] [] [get list watch] deployments.apps/status [] [] [get list watch] deployments.apps [] [] [get list watch] replicasets.apps/scale [] [] [get list watch] replicasets.apps/status [] [] [get list watch] replicasets.apps [] [] [get list watch] statefulsets.apps/scale [] [] [get list watch] statefulsets.apps/status [] [] [get list watch] statefulsets.apps [] [] [get list watch] horizontalpodautoscalers.autoscaling/status [] [] [get list watch] horizontalpodautoscalers.autoscaling [] [] [get list watch] cronjobs.batch/status [] [] [get list watch] cronjobs.batch [] [] [get list watch] jobs.batch/status [] [] [get list watch] jobs.batch [] [] [get list watch] buildconfigs.build.openshift.io/webhooks [] [] [get list watch] buildconfigs.build.openshift.io [] [] [get list watch] buildlogs.build.openshift.io [] [] [get list watch] builds.build.openshift.io/log [] [] [get list watch] builds.build.openshift.io [] [] [get list watch] daemonsets.extensions/status [] [] [get list watch] daemonsets.extensions [] [] [get list watch] deployments.extensions/scale [] [] [get list watch] deployments.extensions/status [] [] [get list watch] deployments.extensions [] [] [get list watch] ingresses.extensions/status [] [] [get list watch] ingresses.extensions [] [] [get list watch] networkpolicies.extensions [] [] [get list watch] replicasets.extensions/scale [] [] [get list watch] replicasets.extensions/status [] [] [get list watch] replicasets.extensions [] [] [get list watch] replicationcontrollers.extensions/scale [] [] [get list watch] imagestreamimages.image.openshift.io [] [] [get list watch] imagestreammappings.image.openshift.io [] [] [get list watch] imagestreams.image.openshift.io/status [] [] [get list watch] imagestreams.image.openshift.io [] [] [get list watch] imagestreamtags.image.openshift.io [] [] [get list watch] imagetags.image.openshift.io [] [] [get list watch] nodes.metrics.k8s.io [] [] [get list watch] pods.metrics.k8s.io [] [] [get list watch] ingresses.networking.k8s.io/status [] [] [get list watch] ingresses.networking.k8s.io [] [] [get list watch] networkpolicies.networking.k8s.io [] [] [get list watch] catalogsources.operators.coreos.com [] [] [get list watch] clusterserviceversions.operators.coreos.com [] [] [get list watch] installplans.operators.coreos.com [] [] [get list watch] operatorgroups.operators.coreos.com [] [] [get list watch] subscriptions.operators.coreos.com [] [] [get list watch] packagemanifests.packages.operators.coreos.com/icon [] [] [get list watch] packagemanifests.packages.operators.coreos.com [] [] [get list watch] poddisruptionbudgets.policy/status [] [] [get list watch] poddisruptionbudgets.policy [] [] [get list watch] appliedclusterresourcequotas.quota.openshift.io [] [] [get list watch] routes.route.openshift.io/status [] [] [get list watch] routes.route.openshift.io [] [] [get list watch] volumesnapshots.snapshot.storage.k8s.io [] [] [get list watch] processedtemplates.template.openshift.io [] [] [get list watch] templateconfigs.template.openshift.io [] [] [get list watch] templateinstances.template.openshift.io [] [] [get list watch] templates.template.openshift.io [] [] [get list watch] imagestreams/layers [] [] [get] projects [] [] [get] imagestreams.image.openshift.io/layers [] [] [get] projects.project.openshift.io [] [] [get] jenkins.build.openshift.io [] [] [view] From the above do not see any duplicate verb.
Moving the bug to verified based on comment 14
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:4196