Uploaded image for project: 'Red Hat Advanced Cluster Management'
  1. Red Hat Advanced Cluster Management
  2. ACM-8514

[2.7] Configuration policy for a role binding with 0 subjects flaps

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Critical Critical
    • ACM 2.7.10
    • None
    • GRC
    • None
    • 1
    • False
    • None
    • False
    • Moderate
    • No

      Description of problem:

      When a ConfigurationPolicy defines a RoleBinding or ClusterRoleBinding, if the subjects array is set to an empty list, then the ConfigurationPolicy will constantly try to update the object.

      Version-Release number of selected component (if applicable):

      How reproducible:

      Steps to Reproduce:

      1. Make a policy defining a (cluster)rolebinding with an explicitly set empty subjects array.

      Actual results:

      The policy's compliance flaps back and forth.

      Expected results:

      The policy should just be compliant, and not have constant updates.

      Additional info:

      Example ClusterRoleBinding:

      apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: empty-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: imaginary-permissions
subjects: []

      The issue is basically that when the kube api server returns this object, it just omits the subjects array. The config policy controller thinks that it needs to add it, and doesn't "know" that such an update is a no-op.

              jkulikau@redhat.com Justin Kulikauskas
              jkulikau@redhat.com Justin Kulikauskas
              Derek Ho Derek Ho
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: