Unsupported value: "rbac.authorization.k8s.io": supported values: "" when updating role binding

[matshch]

Terraform Version, Provider Version and Kubernetes Version

Terraform version: 1.5.7
Kubernetes provider version: 2.23.0
Kubernetes version: 1.25.12-eks-2d98532

Affected Resource(s)

• kubernetes_cluster_role_binding_v1
• kubernetes_role_binding_v1

Terraform Configuration Files

@@ -11,9 +19,10 @@ resource "kubernetes_cluster_role_binding_v1" "cluster_role_binding" {
   }
 
   subject {
-    kind      = "Group"
-    name      = "system:serviceaccounts:${kubernetes_namespace_v1.namespace.metadata.0.name}"
-    api_group = "rbac.authorization.k8s.io"
+    api_group = ""
+    kind      = "ServiceAccount"
+    name      = kubernetes_service_account_v1.service_account.metadata.0.name
+    namespace = kubernetes_service_account_v1.service_account.metadata.0.namespace
   }
 }
 
@@ -31,9 +40,10 @@ resource "kubernetes_role_binding_v1" "role_binding" {
   }
 
   subject {
-    kind      = "Group"
-    name      = "system:serviceaccounts:${kubernetes_namespace_v1.namespace.metadata.0.name}"
-    api_group = "rbac.authorization.k8s.io"
+    api_group = ""
+    kind      = "ServiceAccount"
+    name      = kubernetes_service_account_v1.service_account.metadata.0.name
+    namespace = kubernetes_service_account_v1.service_account.metadata.0.namespace
   }
 }
 

(it does not matter if api_group is an empty string or omitted)

Steps to Reproduce

1. Create kubernetes_cluster_role_binding_v1 or kubernetes_role_binding_v1 with Group subject.
2. Change subject to ServiceAccount.
3. Apply terraform.

Expected Behavior

Subject should be changed successfully.

Actual Behavior

Next errors are emitted:

• Error: Failed to update ClusterRoleBinding: ClusterRoleBinding.rbac.authorization.k8s.io "openvpn-server" is invalid: subjects[0].apiGroup: Unsupported value: "rbac.authorization.k8s.io": supported values: ""
• Error: Failed to update RoleBinding: RoleBinding.rbac.authorization.k8s.io "openvpn-server" is invalid: subjects[0].apiGroup: Unsupported value: "rbac.authorization.k8s.io": supported values: ""

Important details:

• Plan does not show change in api_group.
• Provider actually sends PATCH request mentioning old apiGroup:

  2023-10-16T14:14:43.047+0300 [DEBUG] provider.terraform-provider-kubernetes_v2.23.0_x5: 2023/10/16 14:14:43 [DEBUG] Kubernetes API Request Details:
  2023-10-16T14:14:43.047+0300 [DEBUG] provider.terraform-provider-kubernetes_v2.23.0_x5: ---[ REQUEST ]---------------------------------------
  2023-10-16T14:14:43.047+0300 [DEBUG] provider.terraform-provider-kubernetes_v2.23.0_x5: PATCH /apis/rbac.authorization.k8s.io/v1/clusterrolebindings/openvpn-server HTTP/1.1
  2023-10-16T14:14:43.047+0300 [DEBUG] provider.terraform-provider-kubernetes_v2.23.0_x5: Host: ....gr7.eu-central-1.eks.amazonaws.com
  2023-10-16T14:14:43.047+0300 [DEBUG] provider.terraform-provider-kubernetes_v2.23.0_x5: User-Agent: HashiCorp/1.0 Terraform/1.5.7
  2023-10-16T14:14:43.047+0300 [DEBUG] provider.terraform-provider-kubernetes_v2.23.0_x5: Content-Length: 157
  2023-10-16T14:14:43.047+0300 [DEBUG] provider.terraform-provider-kubernetes_v2.23.0_x5: Accept: application/json, */*
  2023-10-16T14:14:43.047+0300 [DEBUG] provider.terraform-provider-kubernetes_v2.23.0_x5: Authorization: Bearer k8s-aws-v1....
  2023-10-16T14:14:43.047+0300 [DEBUG] provider.terraform-provider-kubernetes_v2.23.0_x5: Content-Type: application/json-patch+json
  2023-10-16T14:14:43.047+0300 [DEBUG] provider.terraform-provider-kubernetes_v2.23.0_x5: Accept-Encoding: gzip
  2023-10-16T14:14:43.047+0300 [DEBUG] provider.terraform-provider-kubernetes_v2.23.0_x5: 
  2023-10-16T14:14:43.047+0300 [DEBUG] provider.terraform-provider-kubernetes_v2.23.0_x5: [
  2023-10-16T14:14:43.047+0300 [DEBUG] provider.terraform-provider-kubernetes_v2.23.0_x5:  {
  2023-10-16T14:14:43.047+0300 [DEBUG] provider.terraform-provider-kubernetes_v2.23.0_x5:   "path": "/subjects/0",
  2023-10-16T14:14:43.047+0300 [DEBUG] provider.terraform-provider-kubernetes_v2.23.0_x5:   "value": {
  2023-10-16T14:14:43.047+0300 [DEBUG] provider.terraform-provider-kubernetes_v2.23.0_x5:    "kind": "ServiceAccount",
  2023-10-16T14:14:43.047+0300 [DEBUG] provider.terraform-provider-kubernetes_v2.23.0_x5:    "apiGroup": "rbac.authorization.k8s.io",
  2023-10-16T14:14:43.047+0300 [DEBUG] provider.terraform-provider-kubernetes_v2.23.0_x5:    "name": "server",
  2023-10-16T14:14:43.047+0300 [DEBUG] provider.terraform-provider-kubernetes_v2.23.0_x5:    "namespace": "openvpn-server"
  2023-10-16T14:14:43.047+0300 [DEBUG] provider.terraform-provider-kubernetes_v2.23.0_x5:   },
  2023-10-16T14:14:43.047+0300 [DEBUG] provider.terraform-provider-kubernetes_v2.23.0_x5:   "op": "replace"
  2023-10-16T14:14:43.047+0300 [DEBUG] provider.terraform-provider-kubernetes_v2.23.0_x5:  }
  2023-10-16T14:14:43.047+0300 [DEBUG] provider.terraform-provider-kubernetes_v2.23.0_x5: ]
  2023-10-16T14:14:43.047+0300 [DEBUG] provider.terraform-provider-kubernetes_v2.23.0_x5: -----------------------------------------------------
  

References

• It looks like GH-204, but for updating instead of creation.

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment