Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-56178

AppDynamics Operator Installed in custom namespace creates ClusterRoleBindings referencing ServiceAccounts in appdynamics namespace in RHOCP4

XMLWordPrintable

    • Important
    • None
    • False
    • Hide

      None

      Show
      None

      Description of problem:

      When installing the AppDynamics Operator from the OperatorHub into a custom namespace, the Operator creates several ClusterRoleBinding resources where the namespace field in the subjects is hardcoded to "appdynamics". This leads to invalid RBAC bindings, as the referenced service accounts are created in the custom namespace—not in the default appdynamics namespace.
This behavior contradicts the expected dynamic templating of resource manifests during installation, where the metadata.namespace for resources like ServiceAccount is appropriately updated to the selected namespace.

      Version-Release number of selected component (if applicable):

      4.18

      How reproducible:

      100%

      Steps to Reproduce:

      1. Create a custom namespace: $ oc create namespace my-custom-namespace

2. Install the AppDynamics Operator from the OperatorHub in this my-custom-namespace.

3. After installation, check the created ClusterRoleBinding resources:
$ oc get clusterrolebinding appdynamics-cluster-agent -o jsonpath='{.subjects}' | jq
[
  {
    "kind": "ServiceAccount",
    "name": "appdynamics-cluster-agent",
    "namespace": "appdynamics"
  }
]
$ oc get clusterrolebinding appdynamics-cluster-agent-instrumentation -o jsonpath='{.subjects}' | jq
[
  {
    "kind": "ServiceAccount",
    "name": "appdynamics-cluster-agent",
    "namespace": "appdynamics"
  }
]
$ oc get clusterrolebinding appdynamics-infraviz -o jsonpath='{.subjects}' | jq
[
  {
    "kind": "ServiceAccount",
    "name": "appdynamics-infraviz",
    "namespace": "appdynamics"
  }
]

      Actual results:

      - All the ClusterRoleBinding subjects point to service accounts in the appdynamics namespace:
[
  {
    "kind": "ServiceAccount",
    "name": "appdynamics-cluster-agent",
    "namespace": "appdynamics"
  }
]

- But the actual service accounts were created in my-custom-namespace, e.g.:
apiVersion: v1
kind: ServiceAccount
metadata:
  name: appdynamics-cluster-agent
  namespace: my-custom-namespace

- This results in invalid RBAC bindings and broken functionality.

      Expected results:

      The namespace field in the subjects section of all ClusterRoleBindings should dynamically match the namespace where operator is installed, similar to how metadata.namespace is handled in other resources (like ServiceAccount).
Expected ClusterRoleBinding subject (example):
subjects:
  - kind: ServiceAccount
    name: appdynamics-cluster-agent
    namespace: my-custom-namespace

      Additional info:

      Operator Provider: AppDynamics LLC
Installed from: Red Hat OperatorHub

Operators fail to get the necessary cluster permissions due to RBAC misconfiguration, resulting in potential failures in metrics collection, instrumentation, or other cluster-wide operations.

As a temporary workaround, asked customer to manually patch the clusterrolebindings as below :
$ oc patch clusterrolebinding appdynamics-cluster-agent --type=json -p='[{"op": "replace", "path": "/subjects/0/namespace", "value": "custom-namespace"}]'
However they need the permanent solution for this.

              rh-ee-cchantse Catherine Chan-Tse
              rhn-support-sdharma Suruchi Dharma
              bruno andrade bruno andrade
              Brett Tofel, Catherine Chan-Tse
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: