Closed rloisell closed 2 years ago
CC: @juhewitt @mitovskaol @NickCorcoran
I've opened https://access.redhat.com/support/cases/#/case/02858257 with Red Hat to report this issue.
This is a known bug, and scheduled to be fixed in 4.7 https://bugzilla.redhat.com/show_bug.cgi?id=1906898
Bug to track backporting to 4.6 https://bugzilla.redhat.com/show_bug.cgi?id=1924437
The version 4.6.20 provides the fix of https://github.com/openshift/console/pull/8034 https://access.redhat.com/errata/RHBA-2021:0674 and is now available.
So we should pick this up when we upgrade next quarter.
There are multiple options for provisioning RBAC and User Access to namespaces in OCP 4. It can be done via Administrator view, Developer view, via the API as distinct commands, or via yml files applied via the CLI.
There is a bug in the Developer view of Project Access that only displays the first user of a particular role type, if those users have been added on the CLI via a YML file, via the project registry, or the Admin GUI.
For the examples below, if applied from the CLI with:
% oc apply -f-access.yml
You will only be able to see the "bcdevops-admin", "dev1", and "govemp1" users from the Developer Project Access View. The CLI and the Administrator view will both display the appropriate information and Role Bindings.
This bug is of concern as it does not provide an accurate view of the RBAC that have been provisioned via the CLI from yml templates. In multiple projects this has led to duplication of users being provisioned as the view as to who has been provisioned is not consistent depending on where you were looking.
Sample YML Files:
% more developer-access.yml
% more sector-access.yml
Screen Shots provided to Platform Services team via email to protect identity of those with privileged levels of access.