[Release-1.27] - `rke2-cloud-controller-manager` RB/CRBs subject lists grow without bound #6291

brandond · 2024-07-09T19:08:21Z

Backport fix for rke2-cloud-controller-manager RB/CRBs subject lists grow without bound

rke2-cloud-controller-manager RB/CRBs subject lists grow without bound #6272

The text was updated successfully, but these errors were encountered:

VestigeJ · 2024-07-31T18:19:33Z

Reproduction from a 45 minute old rke2 cluster

$ kubectl -n kube-system get rolebinding rke2-cloud-controller-manager-authentication-reader -o yaml;kg clusterrolebinding rke2-cloud-controller-manager -n kube-system -o yaml;kg clusterrolebinding rke2-cloud-controller-manager-auth-delegator -n kube-system -o yaml;

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "true"
  creationTimestamp: "2024-07-31T17:25:30Z"
  labels:
    rke2.io/bootstrapping: rbac-defaults
  name: rke2-cloud-controller-manager-authentication-reader
  namespace: kube-system
  resourceVersion: "13648"
  uid: 3b9de0fc-8a9d-46ef-b0ea-b466b5110421
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: extension-apiserver-authentication-reader
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: rke2-cloud-controller-manager
  namespace: kube-system
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: rke2-cloud-controller-manager
  namespace: kube-system
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: rke2-cloud-controller-manager
  namespace: kube-system
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: rke2-cloud-controller-manager
  namespace: kube-system
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "true"
  creationTimestamp: "2024-07-31T17:25:28Z"
  labels:
    rke2.io/bootstrapping: rbac-defaults
  name: rke2-cloud-controller-manager
  resourceVersion: "13647"
  uid: 3bfc916e-7a83-458d-857a-c173557084e9
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: rke2-cloud-controller-manager
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: rke2-cloud-controller-manager
  namespace: kube-system
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: rke2-cloud-controller-manager
  namespace: kube-system
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: rke2-cloud-controller-manager
  namespace: kube-system
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: rke2-cloud-controller-manager
  namespace: kube-system
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "true"
  creationTimestamp: "2024-07-31T17:25:28Z"
  labels:
    rke2.io/bootstrapping: rbac-defaults
  name: rke2-cloud-controller-manager-auth-delegator
  resourceVersion: "13646"
  uid: 29e38644-fc85-48a5-a3bb-a117ae10a09f
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:auth-delegator
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: rke2-cloud-controller-manager
  namespace: kube-system
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: rke2-cloud-controller-manager
  namespace: kube-system
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: rke2-cloud-controller-manager
  namespace: kube-system
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: rke2-cloud-controller-manager
  namespace: kube-system

VestigeJ · 2024-07-31T18:23:57Z

Validated using VERSION=v1.27.16-rc4+rke2r1

3 server 1 agent cluster multiple restarts basic configuration

$ kubectl -n kube-system get rolebinding rke2-cloud-controller-manager-authentication-reader -o yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "true"
  creationTimestamp: "2024-07-31T17:25:30Z"
  labels:
    rke2.io/bootstrapping: rbac-defaults
  name: rke2-cloud-controller-manager-authentication-reader
  namespace: kube-system
  resourceVersion: "241"
  uid: 3b9de0fc-8a9d-46ef-b0ea-b466b5110421
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: extension-apiserver-authentication-reader
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: rke2-cloud-controller-manager
  namespace: kube-system

$ kg clusterrolebinding rke2-cloud-controller-manager -n kube-system -o yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "true"
  creationTimestamp: "2024-07-31T17:25:28Z"
  labels:
    rke2.io/bootstrapping: rbac-defaults
  name: rke2-cloud-controller-manager
  resourceVersion: "233"
  uid: 3bfc916e-7a83-458d-857a-c173557084e9
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: rke2-cloud-controller-manager
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: rke2-cloud-controller-manager
  namespace: kube-system

$ kg clusterrolebinding rke2-cloud-controller-manager-auth-delegator -n kube-system -o yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "true"
  creationTimestamp: "2024-07-31T17:25:28Z"
  labels:
    rke2.io/bootstrapping: rbac-defaults
  name: rke2-cloud-controller-manager-auth-delegator
  resourceVersion: "230"
  uid: 29e38644-fc85-48a5-a3bb-a117ae10a09f
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:auth-delegator
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: rke2-cloud-controller-manager
  namespace: kube-system

brandond self-assigned this Jul 9, 2024

brandond mentioned this issue Jul 15, 2024

[release-1.27] version bumps and backports for 2024-07 release cycle #6320

Merged

caroline-suse-rancher added this to the v1.27.16+rke2r1 milestone Jul 15, 2024

VestigeJ self-assigned this Jul 22, 2024

VestigeJ closed this as completed Jul 31, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Release-1.27] - `rke2-cloud-controller-manager` RB/CRBs subject lists grow without bound #6291

[Release-1.27] - `rke2-cloud-controller-manager` RB/CRBs subject lists grow without bound #6291

brandond commented Jul 9, 2024

VestigeJ commented Jul 31, 2024

VestigeJ commented Jul 31, 2024

[Release-1.27] - rke2-cloud-controller-manager RB/CRBs subject lists grow without bound #6291

[Release-1.27] - rke2-cloud-controller-manager RB/CRBs subject lists grow without bound #6291

Comments

brandond commented Jul 9, 2024

VestigeJ commented Jul 31, 2024

VestigeJ commented Jul 31, 2024

[Release-1.27] - `rke2-cloud-controller-manager` RB/CRBs subject lists grow without bound #6291

[Release-1.27] - `rke2-cloud-controller-manager` RB/CRBs subject lists grow without bound #6291