-
Notifications
You must be signed in to change notification settings - Fork 38.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Reconciliation adds duplicated subjects on server start #53296
Comments
@enj
Note: Method 1 will trigger an email to the group. You can find the group list here and label list here. |
/sig auth |
/assign @enj |
Automatic merge from submit-queue (batch tested with PRs 51034, 53239). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Correct APIGroup for RoleBindingBuilder Subjects This change corrects `RoleBindingBuilder` to use the RBAC API group with users and groups as subjects (service accounts use the empty string since they are in the legacy core group). This is based on the defaulting in `pkg/apis/rbac/v1/defaults.go#SetDefaults_Subject`. This is required because the bootstrap RBAC data is built with these helpers and does not go through defaulting, whereas the data retrieved from the server has already gone through defaulting. This can lead to the reconciliation code incorrectly adding duplicate subjects because it believes that they are missing (since the API groups do not match). Signed-off-by: Monis Khan <mkhan@redhat.com> ```release-note Fixes an issue with RBAC reconciliation that could cause duplicated subjects in some bootstrapped rolebindings on each restart of the API server. ``` /assign @liggitt /sig auth Fixes #53296 Fixes openshift/origin/issues/16611
/kind bug
What happened:
Bootstrapped RBAC role bindings incorrectly add duplicate subjects on server start.
What you expected to happen:
Reconciliation should not add subjects that already exist.
How to reproduce it (as minimally and precisely as possible):
Restart an API master multiple time. See that bootstrap role bindings have duplicated subjects.
Environment:
master: d2bbeb6
xref openshift/origin#16611
The text was updated successfully, but these errors were encountered: