-
Bug
-
Resolution: Cannot Reproduce
-
Normal
-
MCE 2.9.0
-
None
-
Quality / Stability / Reliability
-
3
-
False
-
-
False
-
-
-
3
-
SF Train-32
-
Moderate
-
None
Description of problem:
ManagedServiceAccount secret token does not refresh after the addon agent ns changes
Version-Release number of selected component (if applicable):
How reproducible:
Steps to Reproduce:
- Install the managedserviceaccount addon agent in ns open-cluster-management-agent-addon ns
- create a managedserviceaccount my-sample
kubectl create -f - <<EOF
apiVersion: authentication.open-cluster-management.io/v1beta1
kind: ManagedServiceAccount
metadata:
name: my-sample
namespace: cluster1
spec:
rotation: {}
EOF
3. create an addondeploymentconfig to set the managedserviceaccount addon agent ns to test-ns
oc create -f - <<EOF
apiVersion: addon.open-cluster-management.io/v1alpha1
kind: AddOnDeploymentConfig
metadata:
name: msa-deploy-config
namespace: default
spec:
agentInstallNamespace: test-ns
EOF
4. change the managedserviceaccount managedclusteraddon to use the created AddOnDeploymentConfig
apiVersion: addon.open-cluster-management.io/v1alpha1
kind: ManagedClusterAddOn
metadata:
name: managed-serviceaccount
namespace: cluster1
spec:
installNamespace: open-cluster-management-agent-addon
configs:
- group: addon.open-cluster-management.io
resource: addondeploymentconfigs
name: msa-deploy-config
namespace: default
5. check if the secret of the managedserviceaccount my-sample changes
$ TOKEN=$(k get secret -n cluster1 my-sample -ojsonpath={.data.token} | base64 -d)
$ echo $TOKEN | xargs -n 1 -I {} oc login --token={} --server=https://127.0.0.1:45965 --insecure-skip-tls-verify=true
$ oc whoami
Actual results:
The result of 'oc whoami' is "system:serviceaccount:open-cluster-management-agent-addon:my-sample"
Expected results:
The result of 'oc whoami' is "system:serviceaccount:test-ns:my-sample"
Additional info:
- is depended on by
-
-
- Closed
-