origin: Some rolebindingrestrictions cannot be storage migrated because of a missing namespace
From a prod dataset being tested in #14999. Migration being run on some role binding restrictions is failing.
error: -n AAA rolebindingrestrictions/match-project-admin-user: namespaces "AAA" not found
error: -n BBB rolebindingrestrictions/match-project-admin-user: namespaces "BBB" not found
First, this means that something in the update path is checking for namespace existence on these RBRs. However, if the namespace isn’t being changed during an RBR, it shouldn’t be checked. That’s probably the minimal bug that needs to be fixed here.
However, if the namespace doesn’t exist, why is the RBR blocking? RBR shouldn’t require a namespace to exist in order to mutate it, unless permission checks are required, and if permission checks ARE required, then it needs to be cleaned up prior to deletion, which it apparently was not.
Would like an answer before we deploy 3.6 to a prod env on Wednesday
About this issue
- Original URL
- State: closed
- Created 7 years ago
- Comments: 17 (17 by maintainers)
Commits related to this issue
- Merge pull request #15721 from enj/enj/u/request_info_err/49868 Automatic merge from submit-queue (batch tested with PRs 15581, 15721) Update etcd stores to use DefaultQualifiedResource This field ... — committed to openshift/origin by openshift-merge-robot 7 years ago
- Merge pull request #15213 from enj/enj/i/migrate_oprhaned_resources/15006 Automatic merge from submit-queue (batch tested with PRs 15213, 16338) Not found errors must match object in migration This... — committed to openshift/origin by openshift-merge-robot 7 years ago
https://github.com/openshift/origin/pull/15123 fixes admission to allow cleanup of orphaned objects even when the namespace doesn’t exist
backports in https://github.com/openshift/ose/pull/800 and https://github.com/openshift/ose/pull/801