Uploaded image for project: 'OpenShift Pipelines'
  1. OpenShift Pipelines
  2. SRVKP-2573

openshift-pipelines-clusterinterceptors ClusterRoleBinding not updated after namespace removal

XMLWordPrintable

    • 3
    • False
    • None
    • False
    • Hide
      If namespaces deleted then those namespaces will be removed from ClusterInterceptor ClusterRoleBinding

      **Before:**

      apiVersion: rbac.authorization.k8s.io/v1
      kind: ClusterRoleBinding
      metadata:
        creationTimestamp: "2022-11-30T10:57:38Z"
        name: openshift-pipelines-clusterinterceptors
        ownerReferences:
        - apiVersion: operator.tekton.dev/v1alpha1
          blockOwnerDeletion: true
          controller: true
          kind: TektonInstallerSet
          name: rhosp-rbac-z4v56
          uid: f591469b-125d-43c1-ba9a-7f1c95ef98d7
        resourceVersion: "151362"
        uid: 291c40fa-1390-4e90-a391-4e8856ca5a3f
      roleRef:
        apiGroup: rbac.authorization.k8s.io
        kind: ClusterRole
        name: openshift-pipelines-clusterinterceptors
      subjects:
      - kind: ServiceAccount
        name: pipeline
        namespace: default
      - kind: ServiceAccount
        name: pipeline
        namespace: openshift
      - kind: ServiceAccount
        name: pipeline
        namespace: test

      Deleted namespace **test**

      **After:**

      apiVersion: rbac.authorization.k8s.io/v1
      kind: ClusterRoleBinding
      metadata:
        creationTimestamp: "2022-11-30T10:57:38Z"
        name: openshift-pipelines-clusterinterceptors
        ownerReferences:
        - apiVersion: operator.tekton.dev/v1alpha1
          blockOwnerDeletion: true
          controller: true
          kind: TektonInstallerSet
          name: rhosp-rbac-z4v56
          uid: f591469b-125d-43c1-ba9a-7f1c95ef98d7
        resourceVersion: "151522"
        uid: 291c40fa-1390-4e90-a391-4e8856ca5a3f
      roleRef:
        apiGroup: rbac.authorization.k8s.io
        kind: ClusterRole
        name: openshift-pipelines-clusterinterceptors
      subjects:
      - kind: ServiceAccount
        name: pipeline
        namespace: default
      - kind: ServiceAccount
        name: pipeline
        namespace: openshift

      Show
      If namespaces deleted then those namespaces will be removed from ClusterInterceptor ClusterRoleBinding **Before:** apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata:   creationTimestamp: "2022-11-30T10:57:38Z"   name: openshift-pipelines-clusterinterceptors   ownerReferences:   - apiVersion: operator.tekton.dev/v1alpha1     blockOwnerDeletion: true     controller: true     kind: TektonInstallerSet     name: rhosp-rbac-z4v56     uid: f591469b-125d-43c1-ba9a-7f1c95ef98d7   resourceVersion: "151362"   uid: 291c40fa-1390-4e90-a391-4e8856ca5a3f roleRef:   apiGroup: rbac.authorization.k8s.io   kind: ClusterRole   name: openshift-pipelines-clusterinterceptors subjects: - kind: ServiceAccount   name: pipeline   namespace: default - kind: ServiceAccount   name: pipeline   namespace: openshift - kind: ServiceAccount   name: pipeline   namespace: test Deleted namespace **test** **After:** apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata:   creationTimestamp: "2022-11-30T10:57:38Z"   name: openshift-pipelines-clusterinterceptors   ownerReferences:   - apiVersion: operator.tekton.dev/v1alpha1     blockOwnerDeletion: true     controller: true     kind: TektonInstallerSet     name: rhosp-rbac-z4v56     uid: f591469b-125d-43c1-ba9a-7f1c95ef98d7   resourceVersion: "151522"   uid: 291c40fa-1390-4e90-a391-4e8856ca5a3f roleRef:   apiGroup: rbac.authorization.k8s.io   kind: ClusterRole   name: openshift-pipelines-clusterinterceptors subjects: - kind: ServiceAccount   name: pipeline   namespace: default - kind: ServiceAccount   name: pipeline   namespace: openshift
    • Bug Fix
    • Pipelines Sprint 229, Pipelines Sprint 230

      The ClusterRoleBinding called openshift-pipelines-clusterinterceptors is managed by the OpenShift Pipelines - Operator. It picks up all newly created namespaces and is adding them subjects to the given ClusterRoleBinding. Unfortunately when namespaces are removed, the ClusterRoleBinding is not updated accordingly, leaving orphenad subjects in ClusterRoleBinding called openshift-pipelines-clusterinterceptors.

      $ oc get clusterrolebinding openshift-pipelines-clusterinterceptors -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  creationTimestamp: "2022-10-24T08:28:11Z"
  name: openshift-pipelines-clusterinterceptors
  ownerReferences:
  - apiVersion: operator.tekton.dev/v1alpha1
    blockOwnerDeletion: true
    controller: true
    kind: TektonInstallerSet
    name: rhosp-rbac-cb4k9
    uid: 21c9dd41-f6c7-47e6-84a7-0856c97d2049
  resourceVersion: "3839550"
  uid: 3b7e4eff-1864-4e81-b3d6-ef19b0e1fd13
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: openshift-pipelines-clusterinterceptors
subjects:
- kind: ServiceAccount
  name: pipeline
  namespace: dedicated-admin
- kind: ServiceAccount
  name: pipeline
  namespace: default
- kind: ServiceAccount
  name: pipeline
  namespace: flux-system
- kind: ServiceAccount
  name: pipeline
  namespace: openshift
[...]
- kind: ServiceAccount
  name: pipeline
  namespace: project-74
- kind: ServiceAccount
  name: pipeline
  namespace: project-80
- kind: ServiceAccount
  name: pipeline
  namespace: project-81
- kind: ServiceAccount
  name: pipeline
  namespace: project-82

$ oc get sa -n project-80
No resources found in project-80 namespace.

$ oc get sa -n project-74
NAME       SECRETS   AGE
builder    2         15m
default    2         15m
deployer   2         15m
pipeline   2         15m

$ oc get sa -n project-81
No resources found in project-81 namespace.

      Based on the above, namespace called project-80 and project-81 should be again removed from ClusterRoleBinding called openshift-pipelines-clusterinterceptors as they don't exist anymore and also objects related to the given namespace.

              sashture Savita .
              rhn-support-sreber Simon Reber
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: