Bug 1984942 - ApplyClusterRoleBinding triggers boundsError when adding new subject
Summary: ApplyClusterRoleBinding triggers boundsError when adding new subject
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Storage
Version: 4.9
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: 4.9.0
Assignee: Jonathan Dobson
QA Contact: Wei Duan
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-07-22 14:02 UTC by Fabio Bertinatto
Modified: 2021-10-18 17:41 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-10-18 17:40:51 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift library-go pull 1169 0 None open Bug 1984942: ApplyClusterRoleBinding triggers boundsError when adding new subject 2021-07-29 22:37:46 UTC
Github openshift vmware-vsphere-csi-driver-operator pull 37 0 None None None 2021-08-03 16:26:01 UTC
Red Hat Product Errata RHSA-2021:3759 0 None None None 2021-10-18 17:41:03 UTC

Description Fabio Bertinatto 2021-07-22 14:02:54 UTC 
Details: https://github.com/openshift/vmware-vsphere-csi-driver/pull/12#issuecomment-884934118
Comment 1 Jan Safranek 2021-07-23 15:07:00 UTC 
It's probably a bug in library-go ApplyClusterRoleBinding / ApplyRoleBinding.
Comment 2 Jonathan Dobson 2021-07-29 22:24:58 UTC 
vmware-vsphere-csi-driver-operator was hitting a bounds error:

E0729 20:29:23.814759       1 runtime.go:78] Observed a panic: runtime.boundsError{x:1, y:1,
 signed:true, code:0x0} (runtime error: index out of range [1] with length 1)
goroutine 614 [running]:
k8s.io/apimachinery/pkg/util/runtime.logPanic(0x299e460, 0xc0016fc720)
        k8s.io/apimachinery.1/pkg/util/runtime/runtime.go:74 +0x95
k8s.io/apimachinery/pkg/util/runtime.HandleCrash(0xc0015bbd58, 0x1, 0x1)
        k8s.io/apimachinery.1/pkg/util/runtime/runtime.go:48 +0x86
panic(0x299e460, 0xc0016fc720)
        runtime/panic.go:965 +0x1b9
github.com/openshift/library-go/pkg/operator/resource/resourceapply.ApplyClusterRoleBinding(
0x2f904d0, 0xc000645780, 0x7f41280db860, 0xc000c24f90, 0x2fa5c40, 0xc0002058c0, 0xc0002e4f20
, 0xc0008c9680, 0x1, 0x2f3afa0, ...)

Because we added a new ServiceAccount to the ClusterRoleBinding:

https://github.com/openshift/vmware-vsphere-csi-driver-operator/pull/32/files

And this loop in ApplyClusterRoleBinding has a mistake. existingCopy.Subjects[i] should be requiredCopy.Subjects[i].

https://github.com/openshift/library-go/blob/331c921007eb14f1292c5b727da61fb2e7f5be6a/pkg/operator/resource/resourceapply/rbac.go#L83

	for i := range requiredCopy.Subjects {
		if existingCopy.Subjects[i].Kind == "User" {
			requiredCopy.Subjects[i].APIGroup = rbacv1.GroupName
		}
	}

existingCopy.Subjects has 1 entry in this case, and requiredCopy.Subjects has 2 entries. So existingCopy.Subjects[1] triggers the panic.
Comment 3 Jonathan Dobson 2021-08-03 14:12:14 UTC 
Need to bump library-go in vmware-vsphere-csi-driver-operator to resolve this bug, moving this back to assigned.
Comment 5 Wei Duan 2021-08-20 02:00:37 UTC 
Verified pass on 4.9.0-0.nightly-2021-08-19-184748
Comment 8 errata-xmlrpc 2021-10-18 17:40:51 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.9.0 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:3759
Note You need to log in before you can comment on or make changes to this bug.