Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-48613

`oc diff` does not show actual differences for RoleBinding objects with `authorization.openshift.io/v1` API type.

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Normal Normal
    • None
    • 4.14.z
    • openshift-apiserver
    • None
    • Important
    • None
    • False
    • Hide

      None

      Show
      None

      Description of problem:

       When using the `oc diff` command on RoleBinding objects with the `authorization.openshift.io/v1` API type, no differences are shown when modifying the subjects (e.g., changing the user from `foo` to `bar`). However, when using the `rbac.authorization.k8s.io/v1` API type, the differences are correctly displayed.Both `authorization.openshift.io/v1` and `rbac.authorization.k8s.io/v1` are expected to behave identically, as stated in https://access.redhat.com/solutions/7085020, but the behavior is inconsistent when using `oc diff` on `authorization.openshift.io/v1`.

      How reproducible:

          Everytime

      Steps to Reproduce:

       To reproduce :
Create a Rolebinding "test" with user "foo" :
$ oc create -f - << EOF
apiVersion: authorization.openshift.io/v1
kind: RoleBinding
metadata:
  name: test
  namespace: default
roleRef:
  name: admin
subjects:
- kind: User
  name: foo
EOF

=> rolebinding.authorization.openshift.io/test created

Try an "oc diff" with a different user, using apiVersion "authorization.openshift.io/v1" :
$ oc diff -f - << EOF
apiVersion: authorization.openshift.io/v1
kind: RoleBinding
metadata:
  name: test
  namespace: default
roleRef:
  name: admin
subjects:
- kind: User
  name: bar
EOF

=> empty reply meaning "no difference".

To compare, when using "rbac.authorization.k8s.io/v1" :
$ oc diff -f - << EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: test
  namespace: default
roleRef:
  name: admin
subjects:
- kind: User
  name: bar
EOF
diff -u -N /tmp/LIVE-1117655691/rbac.authorization.k8s.io.v1.RoleBinding.default.test /tmp/MERGED-1107121263/rbac.authorization.k8s.io.v1.RoleBinding.default.test
--- /tmp/LIVE-1117655691/rbac.authorization.k8s.io.v1.RoleBinding.default.test    2025-01-15 11:53:48.944296594 +0530
+++ /tmp/MERGED-1107121263/rbac.authorization.k8s.io.v1.RoleBinding.default.test2025-01-15 11:53:48.944296594 +0530
@@ -13,4 +13,4 @@
 subjects:
 - apiGroup: rbac.authorization.k8s.io
   kind: User
-  name: foo
+  name: bar

      Actual results:

      `oc diff` shows`apiVersion: authorization.openshift.io/v1`. no differences when changing the user in a RoleBinding with `apiVersion: authorization.openshift.io/v1`.

      Expected results:

      `oc diff` should show the differences, including the updated user, when applied to RoleBindings with `apiVersion: authorization.openshift.io/v1`, just as it does with `apiVersion: rbac.authorization.k8s.io/v1`.

      Additional info:

      https://redhat-internal.slack.com/archives/CKJR6200N/p1736776493988669

              Unassigned Unassigned
              rhn-support-kchawlan Khushi Chawlani
              Rahul Gangwar Rahul Gangwar
              Votes:
              1 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated: