Uploaded image for project: 'Red Hat Advanced Cluster Management'
  1. Red Hat Advanced Cluster Management
  2. ACM-8514

[2.7] Configuration policy for a role binding with 0 subjects flaps

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Critical Critical
    • ACM 2.7.10
    • None
    • GRC
    • None
    • 1
    • False
    • None
    • False
    • No
    • Moderate

      Description of problem:

      When a ConfigurationPolicy defines a RoleBinding or ClusterRoleBinding, if the subjects array is set to an empty list, then the ConfigurationPolicy will constantly try to update the object.

      Version-Release number of selected component (if applicable):

      How reproducible:

      Steps to Reproduce:

      1. Make a policy defining a (cluster)rolebinding with an explicitly set empty subjects array.

      Actual results:

      The policy's compliance flaps back and forth.

      Expected results:

      The policy should just be compliant, and not have constant updates.

      Additional info:

      Example ClusterRoleBinding:

      apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: empty-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: imaginary-permissions
subjects: []

      The issue is basically that when the kube api server returns this object, it just omits the subjects array. The config policy controller thinks that it needs to add it, and doesn't "know" that such an update is a no-op.

            jkulikau@redhat.com Justin Kulikauskas
            jkulikau@redhat.com Justin Kulikauskas
            Derek Ho Derek Ho
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: