Uploaded image for project: 'Red Hat Advanced Cluster Management'
  1. Red Hat Advanced Cluster Management
  2. ACM-22985

ClusterPermission: Rolebinding managedserviceaccount subject ns does not change after the MSA addon agent ns changes

XMLWordPrintable

    • Quality / Stability / Reliability
    • 1
    • False
    • Hide

      None

      Show
      None
    • False
    • Workload Mgmt Train 32 - 1, Workload Mgmt Train 32 - 2, Workload Mgmt Train 33 - 1, Workload Mgmt Train 33 - 2, Workload Mgmt Train 34 - 1
    • Moderate
    • None

      Description of problem:

      Rolebinding managedserviceaccount subject ns does not change after the MSA addon agent ns changes

      Version-Release number of selected component (if applicable):

      How reproducible:

      Steps to Reproduce:

      1. Install clusterpermission component, and install the managedserviceaccount addon agent in ns open-cluster-management-agent-addon ns
      2. create a managedserviceaccount my-sample

       

      kubectl create -f - <<EOF
apiVersion: authentication.open-cluster-management.io/v1beta1
kind: ManagedServiceAccount
metadata:
  name: my-sample
  namespace: cluster1
spec:
  rotation: {}
EOF

       

      3. create a clusterpermission to use ManagedServiceAccount as a subject:

      apiVersion: rbac.open-cluster-management.io/v1alpha1
kind: ClusterPermission
metadata:
  name: clusterpermission-msa-subject-sample
  namespace: cluster1
spec:
  roles:
  - namespace: default
    rules:
    - apiGroups: ["apps"]
      resources: ["deployments"]
      verbs: ["update"]
  roleBindings:
  - namespace: default
    roleRef:
      kind: Role
    subject:
      apiGroup: authentication.open-cluster-management.io
      kind: ManagedServiceAccount
      name: my-sample

      4. check the rolebinding is created on the managed cluster cluster1 in the default ns, and the subject is serviceaccount my-sample in the open-cluster-management-agent-addon ns

      oc get rolebindings -n default clusterpermission-msa-subject-sample -oyaml

      5. create an addondeploymentconfig to set the managedserviceaccount addon agent ns to test-ns

       

      oc create -f - <<EOF
apiVersion: addon.open-cluster-management.io/v1alpha1
kind: AddOnDeploymentConfig
metadata:
  name: msa-deploy-config
  namespace: default
spec:
  agentInstallNamespace: test-ns
EOF

      6. change the managedserviceaccount managedclusteraddon to use the created AddOnDeploymentConfig

       

      apiVersion: addon.open-cluster-management.io/v1alpha1
kind: ManagedClusterAddOn
metadata:
  name: managed-serviceaccount
  namespace: cluster1
spec:
  installNamespace: open-cluster-management-agent-addon
  configs:
  - group: addon.open-cluster-management.io
    resource: addondeploymentconfigs
    name: msa-deploy-config
    namespace: default

      7. check the rolebinding again on the managed cluster cluster1 in the default ns, check if the subject ns is chenaged to test-ns

      oc get rolebindings -n default clusterpermission-msa-subject-sample -oyaml

      Actual results:

      The rolebinding subject ns is still open-cluster-management-agent-addon

      Expected results:

      The rolebinding subject ns is changed to test-ns

      Additional info:

              fxiang@redhat.com Feng Xiang
              jiazhu@redhat.com Jian Zhu
              Hui Chen Hui Chen
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: