Bug 1905889 - Should create SA for each namespace that the operator scoped
Summary: Should create SA for each namespace that the operator scoped
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: OLM
Version: 4.7
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: 4.7.0
Assignee: Evan Cordell
QA Contact: Jian Zhang
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-12-09 09:22 UTC by Jian Zhang
Modified: 2021-02-24 15:41 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-02-24 15:41:14 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:5633 0 None None None 2021-02-24 15:41:35 UTC

Description Jian Zhang 2020-12-09 09:22:30 UTC 
Description of problem:
When subscribing an operator to cluster scope, there are role and rolebinding generated for each namespace, but no SA generated although the rolebinding bound this SA. 

[root@preserve-olm-env data]# oc get rolebinding -n default 
NAME                               ROLE                                           AGE
etcdoperator.v0.9.4-clusterwide    Role/etcdoperator.v0.9.4-clusterwide           67s
...
    name: etcdoperator.v0.9.4-clusterwide
  subjects:
  - kind: ServiceAccount
    name: etcd-operator
...

[root@preserve-olm-env data]# oc get sa -n default|grep etcd-operator
[root@preserve-olm-env data]# 

Version-Release number of selected component (if applicable):
[root@preserve-olm-env data]# oc version
Client Version: 4.7.0-0.nightly-2020-12-04-013308
Server Version: 4.7.0-0.nightly-2020-12-09-012634
Kubernetes Version: v1.19.2+ad738ba

How reproducible:
always

Steps to Reproduce:
1. Install OCP 4.7 and login it as a cluster-admin role.
2. Subscribe the etcd-operator, select the cluster scope.
3. Check the rolebinding, role, SA for each namespace.

Actual results:
The rolebinding bound to the etcd-operator SA, but there is no corresponding SA(etcd-operator) generated actually.

[root@preserve-olm-env data]# oc get rolebinding -n default etcdoperator.v0.9.4-clusterwide -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
...
subjects:
- kind: ServiceAccount
  name: etcd-operator

[root@preserve-olm-env data]# oc get sa -n default|grep etcd-operator
[root@preserve-olm-env data]# 


Expected results:
Should generate the corresponding SA for each namespace that the operator scoped.

Additional info:
Comment 1 Jian Zhang 2020-12-14 07:40:58 UTC 
I guess this issue has been solved by bug 1906134 via "OLM should not create OperatorConditions for copied CSVs"
Correct me if I'm wrong, thanks!
Comment 4 errata-xmlrpc 2021-02-24 15:41:14 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.7.0 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:5633
Note You need to log in before you can comment on or make changes to this bug.