Description of problem: create monitoring-alertmanager-edit RoleBinding for user testuser-11 # oc project openshift-monitoring; oc adm policy add-role-to-user monitoring-alertmanager-edit testuser-11; oc project default or # oc adm policy add-role-to-user monitoring-alertmanager-edit testuser-11 -n openshift-monitoring check the result, roleRef.kind is ClusterRole, which is wrong, should be roleRef.kind: Role NOTE: this issue is only happen with oc client, no such issue if we create the RoleBinding from console UI # oc -n openshift-monitoring get RoleBinding monitoring-alertmanager-edit -oyaml apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: creationTimestamp: "2021-07-22T12:41:49Z" name: monitoring-alertmanager-edit namespace: openshift-monitoring resourceVersion: "225504" uid: a72aed41-e624-4690-830f-1236dedab857 roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: monitoring-alertmanager-edit subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: testuser-11 # oc -n openshift-monitoring get role monitoring-alertmanager-edit -oyaml apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: creationTimestamp: "2021-07-22T05:26:34Z" name: monitoring-alertmanager-edit namespace: openshift-monitoring resourceVersion: "7822" uid: aef16a78-0858-4329-bcca-b9759898b073 rules: - apiGroups: - monitoring.coreos.com resourceNames: - non-existant resources: - alertmanagers verbs: - patch Version-Release number of selected component (if applicable): # oc version Client Version: 4.9.0-0.nightly-2021-07-21-081948 Server Version: 4.9.0-0.nightly-2021-07-21-081948 Kubernetes Version: v1.21.1+8268f88 How reproducible: always Steps to Reproduce: 1. see the description 2. 3. Actual results: roleRef.kind is ClusterRole Expected results: roleRef.kind is Role Additional info:
According to the help: $ oc adm policy add-role-to-user -h Add a role to users or service accounts for the current project So the -n openshift-monitoring only specifies in which namespace the command should take place (RoleBinding should be created) The help also specifies that: When --role-namespace argument is specified as a non-empty value, it MUST match the current namespace. When role-namespace is specified, the rolebinding will reference a namespaced Role. Otherwise, the rolebinding will reference a ClusterRole resource. --role-namespace='': namespace where the role is located: empty means a role defined in cluster policy I have tested it and after adding this argument appropriate RoleBinding referencing role was created. Can you check if the following command works on your side as well? oc adm policy add-role-to-user monitoring-alertmanager-edit testuser-11 -n openshift-monitoring --role-namespace openshift-monitoring
(In reply to Filip Krepinsky from comment #1) > Can you check if the following command works on your side as well? > > oc adm policy add-role-to-user monitoring-alertmanager-edit testuser-11 -n > openshift-monitoring --role-namespace openshift-monitoring no issue for above command # oc -n openshift-monitoring get RoleBinding monitoring-alertmanager-edit -oyaml apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: creationTimestamp: "2021-07-27T06:28:38Z" name: monitoring-alertmanager-edit namespace: openshift-monitoring resourceVersion: "202850" uid: 7afdc5d2-72db-4679-803b-018493a77740 roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: monitoring-alertmanager-edit subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: testuser-11
Ok, in that case I am closing the bug. Please open a RFE if you think current behaviour could be improved.