Details
-
Bug
-
Resolution: Not a Bug
-
Major
-
None
-
4.16.0
-
None
-
Proposed
-
False
-
Description
Description of problem:
Attempts to delete the Kubeadmin user and associated secrets in a Hypershift cluster fail. The user and secret are automatically recreated with new credentials. This prevents compliance with customer security policies that mandate the Kubeadmin user's removal.
Version-Release number of selected component (if applicable):
4.16.0-0.nightly-2024-04-14-063437
How reproducible:
Always
Steps to Reproduce:
1. Identify Hosted Cluster:
# HOSTED_CLUSTER_NAME=$(oc get hostedclusters -n clusters -o jsonpath='{.items[0].metadata.name}')
# echo $HOSTED_CLUSTER_NAME
hypershift-ci-276698
2. Retrieve the kubeadmin secret:
# oc get secret/kubeadmin-password -n "clusters-${HOSTED_CLUSTER_NAME}"
NAME TYPE DATA AGE
kubeadmin-password Opaque 1 11m
3. Attempt to delete the kubeadmin secret:
# oc delete secret/kubeadmin-password -n "clusters-${HOSTED_CLUSTER_NAME}" secret "kubeadmin-password" deleted
4. Re-check for the existence of the kubeadmin secret:
# oc get secret/kubeadmin-password -n "clusters-${HOSTED_CLUSTER_NAME}"
NAME TYPE DATA AGE
kubeadmin-password Opaque 1 3s
Actual results:
The `kubeadmin-password` secret and the Kubeadmin user are recreated within a short period of time, with new credentials.
Expected results:
The Kubeadmin user should be permanently removed from the cluster.
Additional Notes:
This behavior violates customer security requirements.