You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Follow up from this issue: #34076 which was fixed in 2.6.0. Since then we have seen errors in 2.6.2 around it. Potentially because system users don't have usernames:
kubectl get users -o custom-columns=Name:metadata.name,Username:username,DisplayName:displayName | head -10
Name Username DisplayName
u-pjvstnafg <none> User 1
u-qipiwphye <none> User 2
u-klujqkr42 <none> System account for Project p-4lc6c
u-majekn4pz <none> System account for Project p-87k61
u-uewiyjhkr <none> System account for Cluster c-wxlr3
Rancher was assuming that all role template bindings were for users, when in reality the UserName field of a role template binding might be empty if the binding is actually for a group.
What was fixed, or what changes have occurred
Check whether the binding is for a user or a group, and only make impersonation accounts for users.
Areas or cases that should be tested
Deploying a downstream cluster with cluster/project owners/members
What areas could experience regressions?
No likely regressions
Are the repro steps accurate/minimal?
Repro steps:
Set up an auth provider that has groups in it, I used GitHub
Create a downstream cluster, and add as a cluster member a group from the auth provider
Once the cluster becomes ready, the warning logs will start to appear
Created a downstream rke1 cluster and added a group, user as cluster owner, cluster member and project owner, project member.
Verified the rancher logs and following errors are seen:
2022/03/03 05:17:20 [WARNING] could not find user , will not create impersonation account on cluster
2022/03/03 05:17:20 [WARNING] could not find user , will not create impersonation account on cluster
2022/03/03 05:17:21 [WARNING] could not find user , will not create impersonation account on cluster
2022/03/03 05:17:21 [WARNING] could not find user , will not create impersonation account on cluster
Follow up from this issue: #34076 which was fixed in 2.6.0. Since then we have seen errors in 2.6.2 around it. Potentially because system users don't have usernames:
Code: https://github.com/rancher/rancher/blob/release/v2.6/pkg/controllers/managementuser/rbac/impersonation_handler.go#L47
SURE-3869
SURE-3874
The text was updated successfully, but these errors were encountered: