-
Task
-
Resolution: Unresolved
-
Critical
-
ACM 2.8.0
-
None
-
False
-
None
-
False
-
No
-
-
For MSA accounts created in a ns different than the default addon, we create a custom ManifestWork to create a RoleBinding for the ServiceAccount in that ns
The issue is that the RoleBinding has the same name as the one created by the initial ManifestWork and since this is a global resource, both ManifestWork owns it. Each ManifestWork keep updating the RoleBinding
oc get clusterrolebinding managedserviceaccount-import -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
creationTimestamp: "2023-10-25T15:42:54Z"
name: managedserviceaccount-import
ownerReferences:
- apiVersion: work.open-cluster-management.io/v1
kind: AppliedManifestWork
name: 13583c9e64c6bd8e94c94f7aa0e5a3b873c8033fc07c1f2ceb7c6b5da3056750-addon-managed-serviceaccount-import
uid: b5fcf244-e461-404a-88c7-4c4aeba5db57 - apiVersion: work.open-cluster-management.io/v1
kind: AppliedManifestWork
name: 13583c9e64c6bd8e94c94f7aa0e5a3b873c8033fc07c1f2ceb7c6b5da3056750-addon-managed-serviceaccount-import-custom
uid: c0476c37-c3b0-4184-bedd-e9ffb10e131c
resourceVersion: "49530"
uid: 597859e7-ce78-43dc-8b65-b038492751bc
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: klusterlet-bootstrap-kubeconfig
subjects: - kind: ServiceAccount
name: auto-import-account
namespace: open-cluster-management-addon-observability