-
Feature
-
Resolution: Unresolved
-
Undefined
-
None
-
ACM 2.14.0
-
Product / Portfolio Work
-
False
-
-
False
-
Not Selected
Description of problem:
A ClusterPermission is created in the UI with role X. If that same ClusterPermission is edited in UI and the role is changed to role Y, the ClusterPermission itself will show success. However the underlying ManifestWork will show this error:
ubuntu@ubuntu2404:~/UbuntuSync$ kubectl -n jorge-sno-418 get ManifestWork jorge-sno-418-mshort777-mulinamespace-c4f6c -o yaml ... status: conditions: - lastTransitionTime: "2025-06-13T20:49:10Z" message: Failed to apply manifest work observedGeneration: 26 reason: AppliedManifestWorkFailed status: "False" type: Applied - lastTransitionTime: "2025-06-13T20:42:38Z" message: All resources are available observedGeneration: 26 reason: ResourcesAvailable status: "True" type: Available resourceStatus: manifests: - conditions: - lastTransitionTime: "2025-06-13T20:49:10Z" message: 'Failed to apply manifest: RoleBinding.rbac.authorization.k8s.io "jorge-sno-418-mshort777-mulinamespace-0" is invalid: roleRef: Invalid value: rbac.RoleRef{APIGroup:"rbac.authorization.k8s.io", Kind:"ClusterRole", Name:"kubevirt.io:admin"}: cannot change roleRef' reason: AppliedManifestFailed status: "False" type: Applied
The issue is that ManifestWork does not support role change. We can either fix this in the UI, or this can be enhanced in the backend to support this change.
Version-Release number of selected component (if applicable):
How reproducible:
Every time.
Steps to Reproduce:
- Create ClusterPermission from UI
- Edit ClusterPermission and change role
Actual results:
Error in ManifestWork and rolebindings are not updated with new role.
Expected results:
Role should either update or UI should prevent this change.