-
Notifications
You must be signed in to change notification settings - Fork 784
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG] request.clusterRoles
variable not resolving when a RoleBinding references a ClusterRole
#3177
Comments
Hi @chipzoller - how did you bind the ClusterRole to this user From the steps you provided above, the clusterrole From the definition below, the
This is how I bind a clusterrole to a particular user.
|
Since a RoleBinding is a Namespaced resource, and the Namespace is called out in the |
OK. And how does this user |
|
I see. I thought
I just noticed that After I changed the rule message to
Since the request was actually sent from the serviceaccount, after I excluded SA
|
Yes, that is correct. The problem captured in this issue is that the |
We used to do this additional lookup from serviceaccount to clusterrole/role. @mritunjaysharma394 - can you please confirm? We can also test sending admission requests via a CluserRole/Role and check |
Sure @realshuting , working on it |
So it seems, they are not directly a bug but basically it seems an issue to make the logic crispier so that the |
IMHO, Kyverno being able to lookup and derive these variables which aren't present in the API server's AdmissionReview resource (that is, |
Agreed! Let's investigate possible solutions and propose for 1.7.0. |
Software version numbers
State the version numbers of applications involved in the bug.
Describe the bug
The variable
request.clusterRoles
is resolving tonull
when a ServiceAccount (Namespaced) is bound to a ClusterRole.To Reproduce
Steps to reproduce the behavior:
test
test
calleddeveloper
test
calleddefault-deny-ingress
request.clusterRoles
isnull
Although the edit is blocked as expected, the
request.clusterRoles
is not resolved and therefore printed asnull
in the error message.Expected behavior
The edit is blocked (as it is now) but the array of strings substituted for
request.clusterRoles
contains, at minimum, the stringdeveloper
.Additional context
Slack convo here.
The text was updated successfully, but these errors were encountered: