Flux diff not working for roles with aggregationRule

[eloo]

Describe the bug

It seems that flux diff is not working properly when a (cluster)role has an aggregationRule.

It seems that the aggregation is ignored and thus the diff shows a lot removed rules which should be applied by the aggregations.

Steps to reproduce

Create role like this:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: kube-public-viewer
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "true"
aggregationRule:
  clusterRoleSelectors:
    - matchLabels:
        rbac.authorization.k8s.io/aggregate-to-kube-public-viewer: "true"
rules: []

---
# Cluster role for Read-only access to default K8S resources
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: kube-public-secret-reader
  labels:
      rbac.authorization.k8s.io/aggregate-to-kube-public-viewer: "true"
rules:
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get", "watch", "list"]
  resourceNames:
    - "infrastructure"
    - "cluster"

Run flux diff afterwards

Output of diff:

► ClusterRole/kube-public-viewer drifted

rules
  ± type change from list to <nil>
    - - apiGroups:
        -
        resourceNames:
        - infrastructure
        - cluster
        resources:
        - secrets
        verbs:
        - get
        - watch
        - list
    + <nil>
    ```


### Expected behavior

I would expected that the aggregation is detected as it is the case in the kubernetes cluster and i get no diff.



### Screenshots and recordings

_No response_

### OS / Distro

macos 11.6

### Flux version

flux: v0.27.2

### Flux check

n/a

### Git provider

_No response_

### Container Registry provider

_No response_

### Additional context

_No response_

### Code of Conduct

- [X] I agree to follow this project's Code of Conduct

[stefanprodan]

Can you please try this with kubectl diff --server-side? I suspect this is a bug in Kubernetes server-side apply dry-run, we don't do anything special with RBAC, we send it to the API and show the diff output.

[eloo]

@stefanprodan I'm not familiar with the kubectl diff and which options to use but here is some input:

kubectl diff --server-side -k . --force-conflicts=true -> i see the same deletes of rules like i do for flux diff

kubectl diff --server-side -k .

Error from server (Conflict): Apply failed with 1 conflict: conflict with "clusterrole-aggregation-controller": .rules

kubectl diff -k . -> i see the same deletes of rules like i do for flux diff

i hope that helps?

kubectl version --client=true

Client Version: version.Info{Major:"1", Minor:"23", GitVersion:"v1.23.1", GitCommit:"86ec240af8cbd1b60bcc4c03c20da9b98005b92e", GitTreeState:"clean", BuildDate:"2021-12-16T11:33:37Z", GoVersion:"go1.17.5", Compiler:"gc", Platform:"darwin/amd64"}

[stefanprodan]

kubectl diff --server-side -k . --force-conflicts=true -> i see the same deletes of rules like i do for flux diff

Ok so this is a bug in Kubernetes API, please report this to the Kubernetes team.

[nickspizzas]

I just stumbled across this and was able to resolve it by removing the empty "rules" key.

Flux will reconcile it every time when defined like that:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: example-view
aggregationRule:
  clusterRoleSelectors:
  - matchLabels:
      rbac.authorization.k8s.io/aggregate-to-view: "true"
rules: []

Works:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: example-view
aggregationRule:
  clusterRoleSelectors:
  - matchLabels:
      rbac.authorization.k8s.io/aggregate-to-view: "true"