Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

namespace transformation fails to update rolebinding subject #1377

Closed
richardmarshall opened this issue Jul 20, 2019 · 14 comments
Closed

namespace transformation fails to update rolebinding subject #1377

richardmarshall opened this issue Jul 20, 2019 · 14 comments

Comments

@richardmarshall
Copy link
Contributor

Starting in v3.0.3 if a resource is included with the same namespace as the target for the namespace transformer the service account update for rolebindings will not set the namespace correctly.

For the following kustomization and resources:

cat kustomization.yaml
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: foo
resources:
- test.yaml
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: crb
subjects:
- kind: ServiceAccount
  name: sa
  namespace: bar
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: sa
  namespace: bar
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: cm
  namespace: foo # this configmap has the same namespace as the transformer target

Output from v3.0.2

apiVersion: v1
kind: ServiceAccount
metadata:
  name: sa
  namespace: foo
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: crb
subjects:
- kind: ServiceAccount
  name: sa
  namespace: foo
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: cm
  namespace: foo

Output from v3.0.3

apiVersion: v1
kind: ServiceAccount
metadata:
  name: sa
  namespace: foo
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: crb
subjects:
- kind: ServiceAccount
  name: sa
  namespace: null
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: cm
  namespace: foo

In v3.0.3 the subject of the ClusterRoleBinding has a null namespace instead of the expected value foo.

Without the explicit .metadata.namespace in the configmap the update of the role binding works as expected.

Discovered in this slack thread for more context:
https://kubernetes.slack.com/archives/C9A5ALABG/p1563542754114100

Will look into what is causing this when I have some available time.
@richardmarshall richardmarshall mentioned this issue Jul 21, 2019
Merged
@jbrette
Copy link
Contributor

jbrette commented Jul 21, 2019

Fixed by Update Namespace and Name simultaneously

@jbrette
Copy link
Contributor

jbrette commented Jul 24, 2019

@richardmarshall The #1379 has been merged. Can you check it and close the bug.

@richardmarshall
Copy link
Contributor Author

@jbrette Looks good, closing.

@jannickfahlbusch
Copy link

jannickfahlbusch commented Jul 25, 2019
edited
Loading

It seems like #1379 (f649b62 to be precise) broke our setup with replacing the namespace. We are using kubebuilder and kustomize on top of it.

Here is a simplified example which reproduces the issue:

default/kustomization.yaml:

apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: "foo"

bases:
 - ../manager

manager/kustomization.yaml:

resources:
  - clusterRoleBinding.yaml

manager/clusterRoleBinding.yaml:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  creationTimestamp: null
  name: manager-rolebinding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: manager-role
subjects:
- kind: ServiceAccount
  name: default
  namespace: system

After running kustomize build we get the following YAML:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  creationTimestamp: null
  name: manager-rolebinding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: manager-role
subjects:
- kind: ServiceAccount
  name: default
  namespace: system

Expected was:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  creationTimestamp: null
  name: manager-rolebinding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: manager-role
subjects:
- kind: ServiceAccount
  name: default
  namespace: foo

So far I tried to find a workaround for this issue with no success? Did the syntax to replace the namespace changed or is this a new bug?

@Liujingfang1
Copy link
Contributor

@jannickfahlbusch Thank you for reporting the issue. This is a new bug. The namespace transformation on default ServiceAccount was hard coded previously. This change removed it. We should fix that. @jbrette Can you take a a look? If solving it in the namereference is not feasible, we can reuse the previous logic.

@Liujingfang1 Liujingfang1 reopened this Jul 25, 2019
@jannickfahlbusch
Copy link

Interesting, I just tried to change the name of the ServiceAccount to a value different than default. It's not working in the last versions if the name is not default (Tried all v3.0.x versions and v2.1.0)

@Liujingfang1
Copy link
Contributor

@jannickfahlbusch This is fixed in 3.1.0.

@yanana yanana mentioned this issue Aug 23, 2019
Closed
@jbrette jbrette mentioned this issue Sep 19, 2019
Closed
@YiannisGkoufas
Copy link

YiannisGkoufas commented Sep 17, 2020
edited
Loading

Just to say that this is still not working in 3.8.2 as well. If you use any other name besides default the namespace won't be updated.

kustomization.yaml:

apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: my-namespace
resources:
  - role_binding.yaml

rolebinding.yaml:

kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: dataset-operator
subjects:
- kind: ServiceAccount
  name: dataset-operator # Doesn't replace the namespace value
  namespace: foo
roleRef:
  kind: ClusterRole
  name: dataset-operator
  apiGroup: rbac.authorization.k8s.io

The above keeps the namespace as foo

However if I modify the subjects as:

rolebinding.yaml:

kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: dataset-operator
subjects:
- kind: ServiceAccount
  name: default # Replaces the namespace value
  namespace: foo
roleRef:
  kind: ClusterRole
  name: dataset-operator
  apiGroup: rbac.authorization.k8s.io

Kustomize will work correctly and replace namespace with my-namespace

@YiannisGkoufas
Copy link

By the way also by using vars it won't work:

kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: dataset-operator
subjects:
- kind: ServiceAccount
  name: default
  namespace: $(dataset-operator-namespace)
roleRef:
  kind: ClusterRole
  name: dataset-operator
  apiGroup: rbac.authorization.k8s.io

@Shell32-Natsu
Copy link
Contributor

@YiannisGkoufas Could you provide the definition of your ServiceAccount?

@YiannisGkoufas
Copy link

I don't think it would make any difference, since I haven't even included it in the resources.
But here it is:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: dataset-operator

@Shell32-Natsu
Copy link
Contributor

@YiannisGkoufas Seems dup with #2906

@YiannisGkoufas
Copy link

Yep indeed! So the ServiceAccount and the reference on the ClusterRoleBinding need to have as namespace "default" for it to be replaced. Should be documented somewhere though :)
Thanks @Shell32-Natsu

@Shell32-Natsu
Copy link
Contributor

Good to hear that solves your problem.

/close

@stemid stemid mentioned this issue Mar 23, 2021
Closed
@Daverkex Daverkex mentioned this issue May 14, 2021
Merged
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@richardmarshall @Shell32-Natsu @jannickfahlbusch @Liujingfang1 @YiannisGkoufas @jbrette