rancher: auto-generated Rolebinding label too long
Rancher Server Setup
- Rancher version: 2.5.8
- Installation option (Docker install/Helm Chart): EKS
- Proxy/Cert Details:
Information about the Cluster
- Kubernetes version: 1.20
Describe the bug
[ERROR] error syncing 'p-blksv/project-owner-connected-services-connected-servicesdev3role': handler cluster-prtb-sync: couldn't ensure binding project-owner-connected-services-connected-servicesdev3role in connected-services--dev: RoleBinding.rbac.authorization.k8s.io "rb-lagv4pmhz3" is invalid: metadata.labels: Invalid value: "p-blksv_project-owner-connected-services-connected-servicesdev3role": must be no more than 63 characters, requeuing
To Reproduce Create a cluster with long project names and roles with long names
Result User is logged in, but cannot see his project
About this issue
- Original URL
- State: closed
- Created 3 years ago
- Reactions: 1
- Comments: 18 (9 by maintainers)
@ebuildy, if you try to create a role template binding with a very long name for a project or cluster via Terraform, then Rancher will reject the request. The Terraform provider’s API calls reach out to the Rancher endpoints that validate such resources, and Rancher validates the length of binding names.
The only way to trigger this issue’s behavior is to create a binding in the local cluster via kubectl. In this case, Rancher is not involved in the creation of the resource, it only reacts to it. When it detects a new binding, it tries to create standard Kubernetes RBAC resources in the local and remote cluster as needed. This is where the problem occurs.
We are actively working on a fix, and we aim to include it in a Q3 release.