Description of problem: When editing clusterrole/binding created by the HPP operator via kubectl, it does not reconcile them back to the opinionated values Version-Release number of selected component (if applicable): HPP release 0.7.1 How reproducible: 100% Steps to Reproduce: 1. Patch .rules list on clusterrole / .subjects on clusterrolebinding Actual results: rules list stays empty Expected results: rules list repopulated shortly after Additional info: [root@dell-r740xd-004 hostpath-provisioner]# ./cluster-up/kubectl.sh get clusterrole hostpath-provisioner -o yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: annotations: hostpathprovisioner.kubevirt.io/lastAppliedConfiguration: '{"metadata":{"name":"hostpath-provisioner","creationTimestamp":null,"labels":{"k8s-app":"hostpath-provisioner"}},"rules":[{"verbs":["get","list","watch","create","delete"],"apiGroups":[""],"resources":["persistentvolumes"]},{"verbs":["get","list","watch","update"],"apiGroups":[""],"resources":["persistentvolumeclaims"]},{"verbs":["get","list","watch"],"apiGroups":["storage.k8s.io"],"resources":["storageclasses"]},{"verbs":["list","watch","create","patch","update"],"apiGroups":[""],"resources":["events"]},{"verbs":["get"],"apiGroups":[""],"resources":["nodes"]}]}' creationTimestamp: "2021-02-16T16:31:10Z" labels: k8s-app: hostpath-provisioner managedFields: - apiVersion: rbac.authorization.k8s.io/v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:annotations: .: {} f:hostpathprovisioner.kubevirt.io/lastAppliedConfiguration: {} f:labels: .: {} f:k8s-app: {} f:rules: {} manager: hostpath-provisioner-operator operation: Update time: "2021-02-16T16:31:10Z" name: hostpath-provisioner resourceVersion: "1345" selfLink: /apis/rbac.authorization.k8s.io/v1/clusterroles/hostpath-provisioner uid: ddf7951a-4a95-4651-b8fc-37201216a3cb rules: - apiGroups: - "" resources: - persistentvolumes verbs: - get - list - watch - create - delete - apiGroups: - "" resources: - persistentvolumeclaims verbs: - get - list - watch - update - apiGroups: - storage.k8s.io resources: - storageclasses verbs: - get - list - watch - apiGroups: - "" resources: - events verbs: - list - watch - create - patch - update - apiGroups: - "" resources: - nodes verbs: - get [root@dell-r740xd-004 hostpath-provisioner]# ./cluster-up/kubectl.sh patch clusterrole hostpath-provisioner -p '{"rules":[]}' clusterrole.rbac.authorization.k8s.io/hostpath-provisioner patched [root@dell-r740xd-004 hostpath-provisioner]# ./cluster-up/kubectl.sh get clusterrole hostpath-provisioner -o yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: annotations: hostpathprovisioner.kubevirt.io/lastAppliedConfiguration: '{"metadata":{"name":"hostpath-provisioner","creationTimestamp":null,"labels":{"k8s-app":"hostpath-provisioner"}},"rules":[{"verbs":["get","list","watch","create","delete"],"apiGroups":[""],"resources":["persistentvolumes"]},{"verbs":["get","list","watch","update"],"apiGroups":[""],"resources":["persistentvolumeclaims"]},{"verbs":["get","list","watch"],"apiGroups":["storage.k8s.io"],"resources":["storageclasses"]},{"verbs":["list","watch","create","patch","update"],"apiGroups":[""],"resources":["events"]},{"verbs":["get"],"apiGroups":[""],"resources":["nodes"]}]}' creationTimestamp: "2021-02-16T16:31:10Z" labels: k8s-app: hostpath-provisioner managedFields: - apiVersion: rbac.authorization.k8s.io/v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:annotations: .: {} f:hostpathprovisioner.kubevirt.io/lastAppliedConfiguration: {} f:labels: .: {} f:k8s-app: {} manager: hostpath-provisioner-operator operation: Update time: "2021-02-16T16:31:10Z" - apiVersion: rbac.authorization.k8s.io/v1 fieldsType: FieldsV1 fieldsV1: f:rules: {} manager: .kubectl operation: Update time: "2021-02-16T16:32:25Z" name: hostpath-provisioner resourceVersion: "1538" selfLink: /apis/rbac.authorization.k8s.io/v1/clusterroles/hostpath-provisioner uid: ddf7951a-4a95-4651-b8fc-37201216a3cb rules: null Note: Making any edit on the DaemonSet (which does get reconciled correctly) will trigger the reconciliation for the clusterrole/binding as well.
I am changing it to ON_QA with the assumption that the merged PR is a fix for the bug, let me know if that's wrong.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Virtualization 4.8.0 Images), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:2920