-
Sub-task
-
Resolution: Done
-
Major
-
None
-
Product / Portfolio Work
-
False
-
-
False
-
-
-
VMMgmt - Train-31
If we create a ClusterPermission with multiple rolebindings like in this example:
apiVersion: rbac.open-cluster-management.io/v1alpha1
kind: ClusterPermission
metadata:
name: multiplerb-nonames-errortest
namespace: local-cluster
spec:
roleBindings:
- namespace: acm-cluster-virt
roleRef:
name: kubevirt.io:view
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
subjects:
- name: Kike
apiGroup: rbac.authorization.k8s.io
kind: User
- name: Kurtis
apiGroup: rbac.authorization.k8s.io
kind: User
- namespace: acm-cluster-virt
roleRef:
name: kubevirt.io:default
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
subjects:
- name: Kike
apiGroup: rbac.authorization.k8s.io
kind: User
- name: Kurtis
apiGroup: rbac.authorization.k8s.io
kind: User
- namespace: acm-cluster-virt
roleRef:
name: kubevirt.io:admin
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
subjects:
- name: Kike
apiGroup: rbac.authorization.k8s.io
kind: User
- name: Kurtis
apiGroup: rbac.authorization.k8s.io
kind: User
The ClusterPermission object itself will show successful:
ubuntu@ubuntu2404:~/UbuntuSync/ACM/clusterpermissionyaml$ oc get clusterpermissions -n local-cluster multiplerb-nonames-errortest -oyaml apiVersion: rbac.open-cluster-management.io/v1alpha1 kind: ClusterPermission metadata: creationTimestamp: "2025-06-02T21:08:59Z" generation: 1 name: multiplerb-nonames-errortest namespace: local-cluster resourceVersion: "7647298" uid: 4c0de950-175e-4dc7-a562-9e2bb0a59ed4 spec: roleBindings: - namespace: acm-cluster-virt roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: kubevirt.io:view subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: Kike - apiGroup: rbac.authorization.k8s.io kind: User name: Kurtis - namespace: acm-cluster-virt roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: kubevirt.io:default subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: Kike - apiGroup: rbac.authorization.k8s.io kind: User name: Kurtis - namespace: acm-cluster-virt roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: kubevirt.io:admin subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: Kike - apiGroup: rbac.authorization.k8s.io kind: User name: Kurtis status: conditions: - lastTransitionTime: "2025-06-02T21:08:59Z" message: |- Run the following command to check the ManifestWork status: kubectl -n local-cluster get ManifestWork multiplerb-nonames-errortest-4c0de -o yaml reason: AppliedRBACManifestWork status: "True" type: AppliedRBACManifestWork
However after checking the ManifestWork, we see this error:
ubuntu@ubuntu2404:~/UbuntuSync/ACM/clusterpermissionyaml$ kubectl -n local-cluster get ManifestWork multiplerb-nonames-errortest-4c0de -o yaml apiVersion: work.open-cluster-management.io/v1 kind: ManifestWork metadata: creationTimestamp: "2025-06-02T21:08:59Z" finalizers: - cluster.open-cluster-management.io/manifest-work-cleanup generation: 1 name: multiplerb-nonames-errortest-4c0de namespace: local-cluster ownerReferences: - apiVersion: rbac.open-cluster-management.io/v1alpha1 blockOwnerDeletion: true controller: true kind: ClusterPermission name: multiplerb-nonames-errortest uid: 4c0de950-175e-4dc7-a562-9e2bb0a59ed4 resourceVersion: "7647312" uid: b6838069-6f12-409e-bf5c-692f5d24712d spec: workload: manifests: - apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: multiplerb-nonames-errortest namespace: acm-cluster-virt roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: kubevirt.io:view subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: Kike - apiGroup: rbac.authorization.k8s.io kind: User name: Kurtis - apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: multiplerb-nonames-errortest namespace: acm-cluster-virt roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: kubevirt.io:default subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: Kike - apiGroup: rbac.authorization.k8s.io kind: User name: Kurtis - apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: multiplerb-nonames-errortest namespace: acm-cluster-virt roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: kubevirt.io:admin subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: Kike - apiGroup: rbac.authorization.k8s.io kind: User name: Kurtis status: conditions: - lastTransitionTime: "2025-06-02T21:08:59Z" message: Failed to apply manifest work observedGeneration: 1 reason: AppliedManifestWorkFailed status: "False" type: Applied - lastTransitionTime: "2025-06-02T21:08:59Z" message: All resources are available observedGeneration: 1 reason: ResourcesAvailable status: "True" type: Available resourceStatus: manifests: - conditions: - lastTransitionTime: "2025-06-02T21:08:59Z" message: Apply manifest complete reason: AppliedManifestComplete status: "True" type: Applied - lastTransitionTime: "2025-06-02T21:08:59Z" message: Resource is available reason: ResourceAvailable status: "True" type: Available - lastTransitionTime: "2025-06-02T21:08:59Z" message: "" reason: NoStatusFeedbackSynced status: "True" type: StatusFeedbackSynced resourceMeta: group: rbac.authorization.k8s.io kind: RoleBinding name: multiplerb-nonames-errortest namespace: acm-cluster-virt ordinal: 0 resource: rolebindings version: v1 statusFeedback: {} - conditions: - lastTransitionTime: "2025-06-02T21:08:59Z" message: 'Failed to apply manifest: RoleBinding.rbac.authorization.k8s.io "multiplerb-nonames-errortest" is invalid: roleRef: Invalid value: rbac.RoleRef{APIGroup:"rbac.authorization.k8s.io", Kind:"ClusterRole", Name:"kubevirt.io:default"}: cannot change roleRef' reason: AppliedManifestFailed status: "False" type: Applied - lastTransitionTime: "2025-06-02T21:08:59Z" message: Resource is available reason: ResourceAvailable status: "True" type: Available - lastTransitionTime: "2025-06-02T21:08:59Z" message: "" reason: NoStatusFeedbackSynced status: "True" type: StatusFeedbackSynced resourceMeta: group: rbac.authorization.k8s.io kind: RoleBinding name: multiplerb-nonames-errortest namespace: acm-cluster-virt ordinal: 1 resource: rolebindings version: v1 statusFeedback: {} - conditions: - lastTransitionTime: "2025-06-02T21:08:59Z" message: 'Failed to apply manifest: RoleBinding.rbac.authorization.k8s.io "multiplerb-nonames-errortest" is invalid: roleRef: Invalid value: rbac.RoleRef{APIGroup:"rbac.authorization.k8s.io", Kind:"ClusterRole", Name:"kubevirt.io:admin"}: cannot change roleRef' reason: AppliedManifestFailed status: "False" type: Applied - lastTransitionTime: "2025-06-02T21:08:59Z" message: Resource is available reason: ResourceAvailable status: "True" type: Available - lastTransitionTime: "2025-06-02T21:08:59Z" message: "" reason: NoStatusFeedbackSynced status: "True" type: StatusFeedbackSynced resourceMeta: group: rbac.authorization.k8s.io kind: RoleBinding name: multiplerb-nonames-errortest namespace: acm-cluster-virt ordinal: 2 resource: rolebindings version: v1 statusFeedback: {}
It creates the first rolebinding successfully, but the 2nd 2 fail. This is because we are not supplying a name for each rolebinging. Name is an optional field which we did not include. However it is needed when using multiple rolebindings, because without the name it will use the name of the ClusterPermission object:
ubuntu@ubuntu2404:~/UbuntuSync/ACM/clusterpermissionyaml$ oc get rolebinding -A | grep multiplerb-nonames-errortest acm-cluster-virt multiplerb-nonames-errortest ClusterRole/kubevirt.io:view 9m7s
This is problematic because you can't create multiple rolebindings with the same name. We need to work with UX team to decide if name should be configurable or auto generated, and then implement a fix for this.
- relates to
-
-
- Closed
-