-
Bug
-
Resolution: Duplicate
-
Major
-
None
-
Pipelines 1.8.0
-
3
-
False
-
None
-
False
-
-
Bug Fix
The ClusterRoleBinding called openshift-pipelines-clusterinterceptors is managed by the OpenShift Pipelines - Operator. It picks up all newly created namespaces and is adding them subjects to the given ClusterRoleBinding. Unfortunately when namespaces are removed, the ClusterRoleBinding is not updated accordingly, leaving orphenad subjects in ClusterRoleBinding called openshift-pipelines-clusterinterceptors.
$ oc get clusterrolebinding openshift-pipelines-clusterinterceptors -o yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: creationTimestamp: "2022-10-24T08:28:11Z" name: openshift-pipelines-clusterinterceptors ownerReferences: - apiVersion: operator.tekton.dev/v1alpha1 blockOwnerDeletion: true controller: true kind: TektonInstallerSet name: rhosp-rbac-cb4k9 uid: 21c9dd41-f6c7-47e6-84a7-0856c97d2049 resourceVersion: "3839550" uid: 3b7e4eff-1864-4e81-b3d6-ef19b0e1fd13 roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: openshift-pipelines-clusterinterceptors subjects: - kind: ServiceAccount name: pipeline namespace: dedicated-admin - kind: ServiceAccount name: pipeline namespace: default - kind: ServiceAccount name: pipeline namespace: flux-system - kind: ServiceAccount name: pipeline namespace: openshift [...] - kind: ServiceAccount name: pipeline namespace: project-74 - kind: ServiceAccount name: pipeline namespace: project-80 - kind: ServiceAccount name: pipeline namespace: project-81 - kind: ServiceAccount name: pipeline namespace: project-82 $ oc get sa -n project-80 No resources found in project-80 namespace. $ oc get sa -n project-74 NAME SECRETS AGE builder 2 15m default 2 15m deployer 2 15m pipeline 2 15m $ oc get sa -n project-81 No resources found in project-81 namespace.
Based on the above, namespace called project-80 and project-81 should be again removed from ClusterRoleBinding called openshift-pipelines-clusterinterceptors as they don't exist anymore and also objects related to the given namespace.
- clones
-
SRVKP-2573 openshift-pipelines-clusterinterceptors ClusterRoleBinding not updated after namespace removal
- Closed