-
-
Save tombentley/42510c520eef3e553b48b330b703acd1 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ oc create -f ./other-binding.yaml | |
| Error from server: error when creating "./other-binding.yaml": invalid origin role binding strimzi-cluster-controller-binding-other: attempts to reference role in namespace "myproject" instead of current namespace "other" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| apiVersion: v1 | |
| kind: RoleBinding | |
| metadata: | |
| name: strimzi-cluster-controller-binding-other | |
| namespace: other | |
| labels: | |
| app: strimzi | |
| subjects: | |
| - kind: ServiceAccount | |
| name: strimzi-cluster-controller | |
| namespace: myproject | |
| roleRef: | |
| kind: ClusterRole | |
| name: strimzi-cluster-controller-role | |
| namespace: myproject | |
| apiGroup: v1 | |
| --- |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ oc create -f ./other-binding.yaml | |
| Error from server (Forbidden): error when creating "./other-binding.yaml": rolebindings "strimzi-cluster-controller-binding-other" is forbidden: attempt to grant extra privileges: [PolicyRule{Resources:["replicationcontrollers"], APIGroups:["extensions"], Verbs:["create"]} PolicyRule{Resources:["replicationcontrollers"], APIGroups:["extensions"], Verbs:["delete"]} PolicyRule{Resources:["replicationcontrollers"], APIGroups:["extensions"], Verbs:["get"]} PolicyRule{Resources:["replicationcontrollers"], APIGroups:["extensions"], Verbs:["list"]} PolicyRule{Resources:["replicationcontrollers"], APIGroups:["extensions"], Verbs:["patch"]} PolicyRule{Resources:["replicationcontrollers"], APIGroups:["extensions"], Verbs:["update"]} PolicyRule{Resources:["replicationcontrollers"], APIGroups:["extensions"], Verbs:["watch"]} PolicyRule{Resources:["deployments/status"], APIGroups:["apps"], Verbs:["create"]} PolicyRule{Resources:["deployments/status"], APIGroups:["apps"], Verbs:["delete"]} PolicyRule{Resources:["deployments/status"], APIGroups:["apps"], Verbs:["get"]} PolicyRule{Resources:["deployments/status"], APIGroups:["apps"], Verbs:["list"]} PolicyRule{Resources:["deployments/status"], APIGroups:["apps"], Verbs:["patch"]} PolicyRule{Resources:["deployments/status"], APIGroups:["apps"], Verbs:["update"]} PolicyRule{Resources:["deployments/status"], APIGroups:["apps"], Verbs:["watch"]} PolicyRule{Resources:["deploymentconfigs/finalizers"], APIGroups:["apps.openshift.io"], Verbs:["create"]} PolicyRule{Resources:["deploymentconfigs/finalizers"], APIGroups:["apps.openshift.io"], Verbs:["delete"]} PolicyRule{Resources:["deploymentconfigs/finalizers"], APIGroups:["apps.openshift.io"], Verbs:["get"]} PolicyRule{Resources:["deploymentconfigs/finalizers"], APIGroups:["apps.openshift.io"], Verbs:["list"]} PolicyRule{Resources:["deploymentconfigs/finalizers"], APIGroups:["apps.openshift.io"], Verbs:["patch"]} PolicyRule{Resources:["deploymentconfigs/finalizers"], APIGroups:["apps.openshift.io"], Verbs:["update"]} PolicyRule{Resources:["deploymentconfigs/finalizers"], APIGroups:["apps.openshift.io"], Verbs:["watch"]} PolicyRule{Resources:["deploymentconfigs/status"], APIGroups:["apps.openshift.io"], Verbs:["create"]} PolicyRule{Resources:["deploymentconfigs/status"], APIGroups:["apps.openshift.io"], Verbs:["delete"]} PolicyRule{Resources:["deploymentconfigs/status"], APIGroups:["apps.openshift.io"], Verbs:["patch"]} PolicyRule{Resources:["deploymentconfigs/status"], APIGroups:["apps.openshift.io"], Verbs:["update"]} PolicyRule{Resources:["imagestreams/status"], APIGroups:["image.openshift.io"], Verbs:["create"]} PolicyRule{Resources:["imagestreams/status"], APIGroups:["image.openshift.io"], Verbs:["delete"]} PolicyRule{Resources:["imagestreams/status"], APIGroups:["image.openshift.io"], Verbs:["patch"]} PolicyRule{Resources:["imagestreams/status"], APIGroups:["image.openshift.io"], Verbs:["update"]}] user=&{developer [system:authenticated:oauth system:authenticated] map[scopes.authorization.openshift.io:[user:full]]} ownerrules=[PolicyRule{Resources:["users"], ResourceNames:["~"], APIGroups:["" "user.openshift.io"], Verbs:["get"]} PolicyRule{Resources:["projectrequests"], APIGroups:["" "project.openshift.io"], Verbs:["list"]} PolicyRule{Resources:["clusterroles"], APIGroups:["" "authorization.openshift.io"], Verbs:["get" "list"]} PolicyRule{Resources:["clusterroles"], APIGroups:["rbac.authorization.k8s.io"], Verbs:["get" "list" "watch"]} PolicyRule{Resources:["storageclasses"], APIGroups:["storage.k8s.io"], Verbs:["get" "list"]} PolicyRule{Resources:["projects"], APIGroups:["" "project.openshift.io"], Verbs:["list" "watch"]} PolicyRule{Resources:["selfsubjectrulesreviews"], APIGroups:["" "authorization.openshift.io"], Verbs:["create"]} PolicyRule{Resources:["selfsubjectaccessreviews"], APIGroups:["authorization.k8s.io"], Verbs:["create"]} PolicyRule{NonResourceURLs:["/healthz" "/healthz/*"], Verbs:["get"]} PolicyRule{NonResourceURLs:["/version" "/version/*" "/api" "/api/*" "/apis" "/apis/*" "/oapi" "/oapi/*" "/swaggerapi" "/swaggerapi/*" "/swagger.json" "/swagger-2.0.0.pb-v1" "/osapi" "/osapi/" "/.well-known" "/.well-known/*" "/"], Verbs:["get"]} PolicyRule{Resources:["selfsubjectrulesreviews"], APIGroups:["" "authorization.openshift.io"], Verbs:["create"]} PolicyRule{Resources:["selfsubjectaccessreviews"], APIGroups:["authorization.k8s.io"], Verbs:["create"]} PolicyRule{Resources:["projectrequests"], APIGroups:["" "project.openshift.io"], Verbs:["create"]} PolicyRule{Resources:["selfsubjectaccessreviews" "selfsubjectrulesreviews"], APIGroups:["authorization.k8s.io"], Verbs:["create"]} PolicyRule{Resources:["builds/docker" "builds/optimizeddocker"], APIGroups:["" "build.openshift.io"], Verbs:["create"]} PolicyRule{Resources:["builds/jenkinspipeline"], APIGroups:["" "build.openshift.io"], Verbs:["create"]} PolicyRule{Resources:["builds/source"], APIGroups:["" "build.openshift.io"], Verbs:["create"]} PolicyRule{NonResourceURLs:["/version" "/version/*" "/api" "/api/*" "/apis" "/apis/*" "/oapi" "/oapi/*" "/swaggerapi" "/swaggerapi/*" "/swagger.json" "/swagger-2.0.0.pb-v1" "/osapi" "/osapi/" "/.well-known" "/.well-known/*" "/"], Verbs:["get"]} PolicyRule{NonResourceURLs:["/version" "/version/*" "/api" "/api/*" "/apis" "/apis/*" "/oapi" "/oapi/*" "/swaggerapi" "/swaggerapi/*" "/swagger.json" "/swagger-2.0.0.pb-v1" "/osapi" "/osapi/" "/.well-known" "/.well-known/*" "/"], Verbs:["get"]} PolicyRule{Resources:["oauthaccesstokens" "oauthauthorizetokens"], APIGroups:["" "oauth.openshift.io"], Verbs:["delete"]} PolicyRule{Resources:["userextras/scopes.authorization.openshift.io"], APIGroups:["authentication.k8s.io"], Verbs:["impersonate"]} PolicyRule{Resources:["buildconfigs/webhooks"], APIGroups:["" "build.openshift.io"], Verbs:["create" "get"]} PolicyRule{Resources:["pods" "pods/attach" "pods/exec" "pods/portforward" "pods/proxy"], APIGroups:[""], Verbs:["create" "delete" "deletecollection" "get" "list" "patch" "update" "watch"]} PolicyRule{Resources:["configmaps" "endpoints" "persistentvolumeclaims" "replicationcontrollers" "replicationcontrollers/scale" "secrets" "serviceaccounts" "services" "services/proxy"], APIGroups:[""], Verbs:["create" "delete" "deletecollection" "get" "list" "patch" "update" "watch"]} PolicyRule{Resources:["bindings" "events" "limitranges" "namespaces/status" "pods/log" "pods/status" "replicationcontrollers/status" "resourcequotas" "resourcequotas/status"], APIGroups:[""], Verbs:["get" "list" "watch"]} PolicyRule{Resources:["namespaces"], APIGroups:[""], Verbs:["get" "list" "watch"]} PolicyRule{Resources:["serviceaccounts"], APIGroups:[""], Verbs:["impersonate"]} PolicyRule{Resources:["daemonsets" "deployments" "deployments/rollback" "deployments/scale" "replicasets" "replicasets/scale" "statefulsets"], APIGroups:["apps"], Verbs:["create" "delete" "deletecollection" "get" "list" "patch" "update" "watch"]} PolicyRule{Resources:["horizontalpodautoscalers"], APIGroups:["autoscaling"], Verbs:["create" "delete" "deletecollection" "get" "list" "patch" "update" "watch"]} PolicyRule{Resources:["cronjobs" "jobs"], APIGroups:["batch"], Verbs:["create" "delete" "deletecollection" "get" "list" "patch" "update" "watch"]} PolicyRule{Resources:["daemonsets" "deployments" "deployments/rollback" "deployments/scale" "ingresses" "replicasets" "replicasets/scale" "replicationcontrollers/scale"], APIGroups:["extensions"], Verbs:["create" "delete" "deletecollection" "get" "list" "patch" "update" "watch"]} PolicyRule{Resources:["poddisruptionbudgets"], APIGroups:["policy"], Verbs:["create" "delete" "deletecollection" "get" "list" "patch" "update" "watch"]} PolicyRule{Resources:["localsubjectaccessreviews"], APIGroups:["authorization.k8s.io"], Verbs:["create"]} PolicyRule{Resources:["rolebindings" "roles"], APIGroups:["rbac.authorization.k8s.io"], Verbs:["create" "delete" "deletecollection" "get" "list" "patch" "update" "watch"]} PolicyRule{Resources:["rolebindings" "roles"], APIGroups:["" "authorization.openshift.io"], Verbs:["create" "delete" "deletecollection" "get" "list" "patch" "update" "watch"]} PolicyRule{Resources:["localresourceaccessreviews" "localsubjectaccessreviews" "subjectrulesreviews"], APIGroups:["" "authorization.openshift.io"], Verbs:["create"]} PolicyRule{Resources:["podsecuritypolicyreviews" "podsecuritypolicyselfsubjectreviews" "podsecuritypolicysubjectreviews"], APIGroups:["" "security.openshift.io"], Verbs:["create"]} PolicyRule{Resources:["rolebindingrestrictions"], APIGroups:["" "authorization.openshift.io"], Verbs:["get" "list" "watch"]} PolicyRule{Resources:["buildconfigs" "buildconfigs/webhooks" "builds"], APIGroups:["" "build.openshift.io"], Verbs:["create" "delete" "deletecollection" "get" "list" "patch" "update" "watch"]} PolicyRule{Resources:["builds/log"], APIGroups:["" "build.openshift.io"], Verbs:["get" "list" "watch"]} PolicyRule{Resources:["buildconfigs/instantiate" "buildconfigs/instantiatebinary" "builds/clone"], APIGroups:["" "build.openshift.io"], Verbs:["create"]} PolicyRule{Resources:["builds/details"], APIGroups:["" "build.openshift.io"], Verbs:["update"]} PolicyRule{Resources:["jenkins"], APIGroups:["build.openshift.io"], Verbs:["admin" "edit" "view"]} PolicyRule{Resources:["deploymentconfigs" "deploymentconfigs/scale"], APIGroups:["" "apps.openshift.io"], Verbs:["create" "delete" "deletecollection" "get" "list" "patch" "update" "watch"]} PolicyRule{Resources:["deploymentconfigrollbacks" "deploymentconfigs/instantiate" "deploymentconfigs/rollback"], APIGroups:["" "apps.openshift.io"], Verbs:["create"]} PolicyRule{Resources:["deploymentconfigs/log" "deploymentconfigs/status"], APIGroups:["" "apps.openshift.io"], Verbs:["get" "list" "watch"]} PolicyRule{Resources:["imagestreamimages" "imagestreammappings" "imagestreams" "imagestreams/secrets" "imagestreamtags"], APIGroups:["" "image.openshift.io"], Verbs:["create" "delete" "deletecollection" "get" "list" "patch" "update" "watch"]} PolicyRule{Resources:["imagestreams/status"], APIGroups:["" "image.openshift.io"], Verbs:["get" "list" "watch"]} PolicyRule{Resources:["imagestreams/layers"], APIGroups:["" "image.openshift.io"], Verbs:["get" "update"]} PolicyRule{Resources:["imagestreamimports"], APIGroups:["" "image.openshift.io"], Verbs:["create"]} PolicyRule{Resources:["projects"], APIGroups:["" "project.openshift.io"], Verbs:["delete" "get" "patch" "update"]} PolicyRule{Resources:["appliedclusterresourcequotas"], APIGroups:["" "quota.openshift.io"], Verbs:["get" "list" "watch"]} PolicyRule{Resources:["routes"], APIGroups:["" "route.openshift.io"], Verbs:["create" "delete" "deletecollection" "get" "list" "patch" "update" "watch"]} PolicyRule{Resources:["routes/custom-host"], APIGroups:["" "route.openshift.io"], Verbs:["create"]} PolicyRule{Resources:["routes/status"], APIGroups:["" "route.openshift.io"], Verbs:["get" "list" "watch"]} PolicyRule{Resources:["routes/status"], APIGroups:["" "route.openshift.io"], Verbs:["update"]} PolicyRule{Resources:["processedtemplates" "templateconfigs" "templateinstances" "templates"], APIGroups:["" "template.openshift.io"], Verbs:["create" "delete" "deletecollection" "get" "list" "patch" "update" "watch"]} PolicyRule{Resources:["networkpolicies"], APIGroups:["networking.k8s.io"], Verbs:["create" "delete" "deletecollection" "get" "list" "patch" "update" "watch"]} PolicyRule{Resources:["buildlogs"], APIGroups:["" "build.openshift.io"], Verbs:["create" "delete" "deletecollection" "get" "list" "patch" "update" "watch"]} PolicyRule{Resources:["resourcequotausages"], APIGroups:[""], Verbs:["get" "list" "watch"]} PolicyRule{Resources:["resourceaccessreviews" "subjectaccessreviews"], APIGroups:["" "authorization.openshift.io"], Verbs:["create"]}] ruleResolutionErrors=[] |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment