search

BCDevOps / OpenShift4-Migration

Scripts and info for Ministry teams migration from OpenShift 3.11 to 4.x
Apache License 2.0
3 stars 0 forks source link

OCP4 GUI BUG - Role Bindings and Project Access under Developer view #70

Closed rloisell closed 2 years ago

rloisell commented 3 years ago

There are multiple options for provisioning RBAC and User Access to namespaces in OCP 4. It can be done via Administrator view, Developer view, via the API as distinct commands, or via yml files applied via the CLI.

There is a bug in the Developer view of Project Access that only displays the first user of a particular role type, if those users have been added on the CLI via a YML file, via the project registry, or the Admin GUI.

For the examples below, if applied from the CLI with:

% oc apply -f -access.yml

You will only be able to see the "bcdevops-admin", "dev1", and "govemp1" users from the Developer Project Access View. The CLI and the Administrator view will both display the appropriate information and Role Bindings.

This bug is of concern as it does not provide an accurate view of the RBAC that have been provisioned via the CLI from yml templates. In multiple projects this has led to duplication of users being provisioned as the view as to who has been provisioned is not consistent depending on where you were looking.

Sample YML Files:

% more developer-access.yml 

apiVersion: v1
items:
- apiVersion: rbac.authorization.k8s.io/v1
  kind: RoleBinding
  metadata:
    name: nttdevops
  roleRef:
    kind: ClusterRole
    name: admin
  subjects:
  - kind: User
    name: dev1@github
  - kind: User
    name: dev2@github
  - kind: User
    name: dev3@github 
  - kind: User
    name: dev4@github
kind: List

% more sector-access.yml 

apiVersion: v1
items:
- apiVersion: rbac.authorization.k8s.io/v1
  kind: RoleBinding
  metadata:
    name: sectoradmin
  roleRef:
    kind: ClusterRole
    name: admin
  subjects:
  - kind: User
    name: govemp1@github
  - kind: User
    name: govemp2@github 
  - kind: User
    name: govemp3@github 
kind: List

Screen Shots provided to Platform Services team via email to protect identity of those with privileged levels of access.

rloisell commented 3 years ago

CC: @juhewitt @mitovskaol @NickCorcoran

StevenBarre commented 3 years ago

I've opened https://access.redhat.com/support/cases/#/case/02858257 with Red Hat to report this issue.

StevenBarre commented 3 years ago

This is a known bug, and scheduled to be fixed in 4.7 https://bugzilla.redhat.com/show_bug.cgi?id=1906898

StevenBarre commented 3 years ago

Bug to track backporting to 4.6 https://bugzilla.redhat.com/show_bug.cgi?id=1924437

StevenBarre commented 3 years ago

The version 4.6.20 provides the fix of https://github.com/openshift/console/pull/8034 https://access.redhat.com/errata/RHBA-2021:0674 and is now available.

So we should pick this up when we upgrade next quarter.