ods-core icon indicating copy to clipboard operation
ods-core copied to clipboard

Published 20 hours ago verified publisher icon opendevstack

rolebinding admin lost when cloning environment

Open gerardcl opened this issue 4 years ago • 0 comments

oc new-project <project-name> creates a role binding with name admin, for example (abbreviated):

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: admin
  namespace: autst-feature-16
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: admin
subjects:
  - kind: ServiceAccount
    name: jenkins
    namespace: autst-cd

When using oc apply the role binding named admin in rolebinding.yaml (exported from the cloned environment, here autst-dev) wins and replaces the role binding above. This means jenkins itself no longer has admin provisions and fails fatally.

The import script is using oc create --save-config ... (https://github.com/opendevstack/ods-project-quickstarters/blob/17e530e7b623625bce38933c5ed242462cd7166e/ocp-templates/scripts/import_ocp_project_metadata.sh#L491) to avoid the issue above.

However, the existing rolebinding created by new-project is not overwritten. But the rolebinding named admin from rolebinding.yaml gets lost.

gerardcl avatar Sep 16 '19 16:09 gerardcl