-
Bug
-
Resolution: Unresolved
-
Undefined
-
None
-
4.13.z, 4.12.z, 4.14.z
-
Low
-
No
-
2
-
OSDOCS Sprint 261, OSDOCS Sprint 262
-
2
-
False
-
-
Release Note Not Required
-
In Progress
Description of problem:
Customer has configured LDAP group sync in their Openshift clusters and they confirmed that the API core group included in the RBAC security configuration is not required for ldap group syncing. Could we update our docs to remove that from the ldap-group-syncer cluster role definition?
Version-Release number of selected component (if applicable):
4.12.z, 4.13.z, 4.14.z
Additional info:
I just confirmed that ldap group sync works without the '' in the apiGroups section of the CluserRole. As expected, our ldap synchronization cronjob was able to successfully add & remove users from the group, as well as create a group that was not present before the sync. Can the ldap-group-syncer example in Step 5 found here (https://docs.openshift.com/container-platform/4.12/authentication/ldap-syncing.html#ldap-auto-syncing_ldap-syncing-groups) be updated to remove that?
Original configuration currently documented:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: ldap-group-syncer
rules:
- apiGroups:
- ''
- user.openshift.io
resources:
- groups
verbs:
- get
- list
- create
- update
New configuration:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: ldap-group-syncer
rules:
- apiGroups:
- user.openshift.io
resources:
- groups
verbs:
- get
- list
- create
- update
Need to have Step 5 in our documentation (https://docs.openshift.com/container-platform/4.12/authentication/ldap-syncing.html#ldap-auto-syncing_ldap-syncing-groups) updated to reflect the new configuration shown above.