Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1684344 - RoleBindingRestriction need move to CRD for 4.x
Summary: RoleBindingRestriction need move to CRD for 4.x
Keywords:
Status: POST
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Auth
Version: 4.1
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ---
: 4.1.0
Assignee: Sally
QA Contact: Chuan Yu
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-03-01 03:02 UTC by Chuan Yu
Modified: 2019-04-16 07:02 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Target Upstream Version:


Attachments (Terms of Use)

Description Chuan Yu 2019-03-01 03:02:23 UTC
Description of problem:
rolebindingrestrction for 4.x not working well

Version-Release number of selected component (if applicable):
4.0.0-0.nightly-2019-02-26-125216

How reproducible:
always

Steps to Reproduce:
1.config kubeapiserver cluster with:
spec:
  unsupportedConfigOverrides:
    admissionConfig:
      pluginConfig:
        openshift.io/RestrictSubjectBindings:
          configuration:
            apiversion: v1
            kind: DefaultAdmissionConfig

2.create a user restriction rolebindingrestrion for ns pm1(user pm1 is owner):

apiVersion: v1
kind: RoleBindingRestriction
metadata:
  name: match-users
spec:
  userrestriction:
    users: [""]

3.try to add view role to other user by user pm1
oc policy add-role-to-user view pm3

Actual results:
Add view role to other user successfully

Expected results:
could not add role to other users, and should should report error like:
rror from server (Forbidden): rolebindings.rbac.authorization.k8s.io "view" is forbidden: rolebindings to User "pm3" are not allowed in project "pm1"

Additional info:

Comment 1 Erica von Buelow 2019-03-06 16:01:10 UTC
https://github.com/openshift/origin/pull/22254

Comment 4 Chuan Yu 2019-03-14 06:50:56 UTC
Verified.

$ oc get clusterversion
NAME      VERSION                            
version   4.0.0-0.nightly-2019-03-13-233958

Comment 5 Chuan Yu 2019-04-01 01:41:15 UTC
Since the changes reverted, https://github.com/openshift/origin/pull/22416 , re-open the issue.


Note You need to log in before you can comment on or make changes to this bug.