Description of problem: RoleBinding can give users or groups access to a specific role in a namespace. The project access tab currently doesn't allow the (frontend) user to define the resource type of a user or group reference. All new fields are automatically saved as User references. When entering 'a-username' and select 'View' it automatically creates a RoleBinding like this: kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: a-username-view-<generated-id> subjects: - kind: User apiGroup: rbac.authorization.k8s.io name: a-username roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: view It currently shows existing users and groups RoleBindings. If the user doesn't touch a group reference it will not be updated/destroyed. But when changing a group RoleBinding role (from View to Edit for example), it removes the old RoleBinding and creates a new one for an user (with the correct name but the wrong kind). Version-Release number of selected component (if applicable): 4.10 (tested only on 4.11 master, but it might exist also on older versions then 4.10) How reproducible: Always Steps to Reproduce: 1. Create a Group and RoleBinding for the current namespace: apiVersion: user.openshift.io/v1 kind: Group metadata: name: a-group users: - user1 - user2 --- kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: generateName: a-group-binding subjects: - kind: Group apiGroup: rbac.authorization.k8s.io name: a-group roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: view 2. Open the current Project > Project access tab 3. Change the role from the group "a-group" from View to Edit 4. Search for the newly created RoleBinding "a-group-edit...." for "a-group" Actual results: The RoleBinding refers to a user instead of a group now. Everything looks like before and the user can not see/expect that the kind was changed. Expected results: The subject kind should not be changed when updating just the role. Additional info: Initial slack thread https://coreos.slack.com/archives/C6A3NV5J9/p1646894320606469 This is a follow-up ticket on https://issues.redhat.com/browse/OHSS-10651 and https://bugzilla.redhat.com/show_bug.cgi?id=2066897 See also https://kubernetes.io/docs/reference/access-authn-authz/rbac/
Verified on 4.11.0-0.nightly-2022-05-20-213928
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Important: OpenShift Container Platform 4.11.0 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:5069