Reconciliation adds duplicated subjects on server start #53296

enj · 2017-09-30T16:26:53Z

/kind bug

What happened:

Bootstrapped RBAC role bindings incorrectly add duplicate subjects on server start.

What you expected to happen:

Reconciliation should not add subjects that already exist.

How to reproduce it (as minimally and precisely as possible):

Restart an API master multiple time. See that bootstrap role bindings have duplicated subjects.

Environment:

master: d2bbeb6

xref openshift/origin#16611

The text was updated successfully, but these errors were encountered:

k8s-github-robot · 2017-09-30T16:27:31Z

@enj
There are no sig labels on this issue. Please add a sig label by:

mentioning a sig: @kubernetes/sig-<group-name>-<group-suffix>
e.g., @kubernetes/sig-contributor-experience-<group-suffix> to notify the contributor experience sig, OR
specifying the label manually: /sig <label>
e.g., /sig scalability to apply the sig/scalability label

Note: Method 1 will trigger an email to the group. You can find the group list here and label list here.
The <group-suffix> in the method 1 has to be replaced with one of these: bugs, feature-requests, pr-reviews, test-failures, proposals

enj · 2017-09-30T16:27:54Z

/sig auth

enj · 2017-09-30T16:28:14Z

/assign @enj

@liggitt

Automatic merge from submit-queue (batch tested with PRs 51034, 53239). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Correct APIGroup for RoleBindingBuilder Subjects This change corrects `RoleBindingBuilder` to use the RBAC API group with users and groups as subjects (service accounts use the empty string since they are in the legacy core group). This is based on the defaulting in `pkg/apis/rbac/v1/defaults.go#SetDefaults_Subject`. This is required because the bootstrap RBAC data is built with these helpers and does not go through defaulting, whereas the data retrieved from the server has already gone through defaulting. This can lead to the reconciliation code incorrectly adding duplicate subjects because it believes that they are missing (since the API groups do not match). Signed-off-by: Monis Khan <mkhan@redhat.com> ```release-note Fixes an issue with RBAC reconciliation that could cause duplicated subjects in some bootstrapped rolebindings on each restart of the API server. ``` /assign @liggitt /sig auth Fixes #53296 Fixes openshift/origin/issues/16611

k8s-ci-robot added the kind/bug Categorizes issue or PR as related to a bug. label Sep 30, 2017

enj mentioned this issue Sep 30, 2017

Correct APIGroup for RoleBindingBuilder Subjects #53239

Merged

k8s-github-robot added the needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. label Sep 30, 2017

k8s-ci-robot added the sig/auth Categorizes an issue or PR as relevant to SIG Auth. label Sep 30, 2017

k8s-ci-robot assigned enj Sep 30, 2017

k8s-github-robot removed the needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. label Sep 30, 2017

k8s-github-robot closed this as completed in #53239 Sep 30, 2017

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Reconciliation adds duplicated subjects on server start #53296

Reconciliation adds duplicated subjects on server start #53296

enj commented Sep 30, 2017

k8s-github-robot commented Sep 30, 2017

enj commented Sep 30, 2017

enj commented Sep 30, 2017

Reconciliation adds duplicated subjects on server start #53296

Reconciliation adds duplicated subjects on server start #53296

Comments

enj commented Sep 30, 2017

k8s-github-robot commented Sep 30, 2017

enj commented Sep 30, 2017

enj commented Sep 30, 2017