Unsupported value: "rbac.authorization.k8s.io": supported values: "" when updating role binding

[matshch]

Terraform Version, Provider Version and Kubernetes Version

Terraform version: 1.5.7
Kubernetes provider version: 2.23.0
Kubernetes version: 1.25.12-eks-2d98532

Affected Resource(s)

• kubernetes_cluster_role_binding_v1
• kubernetes_role_binding_v1

Terraform Configuration Files

@@ -11,9 +19,10 @@ resource "kubernetes_cluster_role_binding_v1" "cluster_role_binding" {
   }
 
   subject {
-    kind      = "Group"
-    name      = "system:serviceaccounts:${kubernetes_namespace_v1.namespace.metadata.0.name}"
-    api_group = "rbac.authorization.k8s.io"
+    api_group = ""
+    kind      = "ServiceAccount"
+    name      = kubernetes_service_account_v1.service_account.metadata.0.name
+    namespace = kubernetes_service_account_v1.service_account.metadata.0.namespace
   }
 }
 
@@ -31,9 +40,10 @@ resource "kubernetes_role_binding_v1" "role_binding" {
   }
 
   subject {
-    kind      = "Group"
-    name      = "system:serviceaccounts:${kubernetes_namespace_v1.namespace.metadata.0.name}"
-    api_group = "rbac.authorization.k8s.io"
+    api_group = ""
+    kind      = "ServiceAccount"
+    name      = kubernetes_service_account_v1.service_account.metadata.0.name
+    namespace = kubernetes_service_account_v1.service_account.metadata.0.namespace
   }
 }
 

(it does not matter if api_group is an empty string or omitted)

Steps to Reproduce

1. Create kubernetes_cluster_role_binding_v1 or kubernetes_role_binding_v1 with Group subject.
2. Change subject to ServiceAccount.
3. Apply terraform.

Expected Behavior

Subject should be changed successfully.

Actual Behavior

Next errors are emitted:

• Error: Failed to update ClusterRoleBinding: ClusterRoleBinding.rbac.authorization.k8s.io "openvpn-server" is invalid: subjects[0].apiGroup: Unsupported value: "rbac.authorization.k8s.io": supported values: ""
• Error: Failed to update RoleBinding: RoleBinding.rbac.authorization.k8s.io "openvpn-server" is invalid: subjects[0].apiGroup: Unsupported value: "rbac.authorization.k8s.io": supported values: ""

Important details:

• Plan does not show change in api_group.
• Provider actually sends PATCH request mentioning old apiGroup:

  2023-10-16T14:14:43.047+0300 [DEBUG] provider.terraform-provider-kubernetes_v2.23.0_x5: 2023/10/16 14:14:43 [DEBUG] Kubernetes API Request Details:
  2023-10-16T14:14:43.047+0300 [DEBUG] provider.terraform-provider-kubernetes_v2.23.0_x5: ---[ REQUEST ]---------------------------------------
  2023-10-16T14:14:43.047+0300 [DEBUG] provider.terraform-provider-kubernetes_v2.23.0_x5: PATCH /apis/rbac.authorization.k8s.io/v1/clusterrolebindings/openvpn-server HTTP/1.1
  2023-10-16T14:14:43.047+0300 [DEBUG] provider.terraform-provider-kubernetes_v2.23.0_x5: Host: ....gr7.eu-central-1.eks.amazonaws.com
  2023-10-16T14:14:43.047+0300 [DEBUG] provider.terraform-provider-kubernetes_v2.23.0_x5: User-Agent: HashiCorp/1.0 Terraform/1.5.7
  2023-10-16T14:14:43.047+0300 [DEBUG] provider.terraform-provider-kubernetes_v2.23.0_x5: Content-Length: 157
  2023-10-16T14:14:43.047+0300 [DEBUG] provider.terraform-provider-kubernetes_v2.23.0_x5: Accept: application/json, */*
  2023-10-16T14:14:43.047+0300 [DEBUG] provider.terraform-provider-kubernetes_v2.23.0_x5: Authorization: Bearer k8s-aws-v1....
  2023-10-16T14:14:43.047+0300 [DEBUG] provider.terraform-provider-kubernetes_v2.23.0_x5: Content-Type: application/json-patch+json
  2023-10-16T14:14:43.047+0300 [DEBUG] provider.terraform-provider-kubernetes_v2.23.0_x5: Accept-Encoding: gzip
  2023-10-16T14:14:43.047+0300 [DEBUG] provider.terraform-provider-kubernetes_v2.23.0_x5: 
  2023-10-16T14:14:43.047+0300 [DEBUG] provider.terraform-provider-kubernetes_v2.23.0_x5: [
  2023-10-16T14:14:43.047+0300 [DEBUG] provider.terraform-provider-kubernetes_v2.23.0_x5:  {
  2023-10-16T14:14:43.047+0300 [DEBUG] provider.terraform-provider-kubernetes_v2.23.0_x5:   "path": "/subjects/0",
  2023-10-16T14:14:43.047+0300 [DEBUG] provider.terraform-provider-kubernetes_v2.23.0_x5:   "value": {
  2023-10-16T14:14:43.047+0300 [DEBUG] provider.terraform-provider-kubernetes_v2.23.0_x5:    "kind": "ServiceAccount",
  2023-10-16T14:14:43.047+0300 [DEBUG] provider.terraform-provider-kubernetes_v2.23.0_x5:    "apiGroup": "rbac.authorization.k8s.io",
  2023-10-16T14:14:43.047+0300 [DEBUG] provider.terraform-provider-kubernetes_v2.23.0_x5:    "name": "server",
  2023-10-16T14:14:43.047+0300 [DEBUG] provider.terraform-provider-kubernetes_v2.23.0_x5:    "namespace": "openvpn-server"
  2023-10-16T14:14:43.047+0300 [DEBUG] provider.terraform-provider-kubernetes_v2.23.0_x5:   },
  2023-10-16T14:14:43.047+0300 [DEBUG] provider.terraform-provider-kubernetes_v2.23.0_x5:   "op": "replace"
  2023-10-16T14:14:43.047+0300 [DEBUG] provider.terraform-provider-kubernetes_v2.23.0_x5:  }
  2023-10-16T14:14:43.047+0300 [DEBUG] provider.terraform-provider-kubernetes_v2.23.0_x5: ]
  2023-10-16T14:14:43.047+0300 [DEBUG] provider.terraform-provider-kubernetes_v2.23.0_x5: -----------------------------------------------------
  

References

• It looks like GH-204, but for updating instead of creation.

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

[github-actions[bot]]

Marking this issue as stale due to inactivity. If this issue receives no comments in the next 30 days it will automatically be closed. If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. This helps our maintainers find and focus on the active issues. Maintainers may also remove the stale label at their discretion. Thank you!