Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RoleBinding not being updated properly on namespace ownership change #1506

Closed
mathis-marcotte opened this issue Jan 16, 2023 · 3 comments
Closed

RoleBinding not being updated properly on namespace ownership change #1506

mathis-marcotte opened this issue Jan 16, 2023 · 3 comments
Assignees
@mathis-marcotte

Comments

@mathis-marcotte
Copy link
Contributor

See comments in https://github.com/StatCan/daaas-private/issues/50 for details on the issue.
When changing the owner of a namespace by editing the jsonnet file through our kubeflow profiles repo, it doesn't update the metadata.annotations.user value in the namespaceAdmin RoleBinding object.
That value is what gets looked at when the KFAM api checks to see if a user should have access to a namespace.
@mathis-marcotte mathis-marcotte self-assigned this Jan 16, 2023
@mathis-marcotte
Copy link
Contributor Author

Updated the profile.libsonnet by re-adding the code that used to create a rolebinding duplicate, but instead of creating a duplicate namespaceAdmin RoleBinding object, its overriding that namespaceAdmin object with the correct value for metadata.annotations.user

@mathis-marcotte
Copy link
Contributor Author

After looking at upstream since the issue did seem to come from upstream code, there is an issue open on their repository that relates to this issue kubeflow/dashboard#33 .
But since this issue seems to be planned for kubeflow 1.7, we will have to implement a temprary solution that will be easily reverted once the actual fix is in.

@mathis-marcotte
Copy link
Contributor Author

mathis-marcotte commented Feb 6, 2023
edited
Loading

Testing with Yann, we noticed that we might still encounter ownership issue with cases where a duplicate namespaceAdmin rolebinding was created (namespaceAdmin-yann-coderre-....).
We tested with the "aaw-demos" namespace by changing ownership from his account to mine. And after looking in kubeflow, we both had access as owners to that namespace. This is because I was the user for the namespaceAdmin rolebinding, but he still had access from the namespaceAdmin-yann-coderre-*. Also, we tested on the manage contributors page and only I could edit the contributors for the namespace, Yann was getting an error message. This is because the authorizationpolicy was to my account since the namespaceAdmin rolebinding was to my account.

image

So deleting this "namespaceAdmin-yann-coderre-..." rolebinding fixed the issue where Yann was still an owner. Afterwards, we reverted the namespace by replacing me as an owner and putting back Yann and things worked as expected where I was not an owner and he was an owner.
So, whenever a similar issue is encountered, we should delete any of the "namespaceAdmin-user-name-domain" rolebindings present for a namespace so that only the "namespaceAdmin" exists for the correct owner.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mathis-marcotte mathis-marcotte

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@mathis-marcotte