-
Bug
-
Resolution: Unresolved
-
Undefined
-
None
-
4.16, 4.17, 4.18, 4.19
-
None
-
Quality / Stability / Reliability
-
False
-
-
None
-
Important
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
In the following documentation: https://docs.redhat.com/en/documentation/openshift_container_platform/4.19/html/builds_using_buildconfig/triggering-builds-build-hooks#unauthenticated-users-system-webhook_triggering-builds-build-hooks
In step 1 of section 8.1.1.1, the following example is wrong:
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
name: webhook-access-unauthenticated
namespace: <namespace>
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: "system:webhook"
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: "system:unauthenticated"
Instead, it must be:
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
name: webhook-access-unauthenticated
namespace: <namespace>
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: "system:webhook"
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: "system:unauthenticated"
i.e. the kind in the roleRef must be ClusterRole, not Role.
This bug is important because it will make anybody trying to run the procedure to fail doing so.
