Merge pull request #122893 from danwinship/kubeadm-rolebinding-failure

Fix EnsureAdminClusterRoleBindingImpl error handling
2025-07-29 22:46:12 +00:00 · 2024-01-21 19:18:47 +01:00 · 2024-01-21 19:18:47 +01:00 · a07b1aaa5b
commit a07b1aaa5b
parent 418ae605ec b18caee5df
1 changed files with 4 additions and 5 deletions
--- a/cmd/kubeadm/app/phases/kubeconfig/kubeconfig.go
+++ b/cmd/kubeadm/app/phases/kubeconfig/kubeconfig.go
@ -642,15 +642,14 @@ func EnsureAdminClusterRoleBindingImpl(ctx context.Context, adminClient, superAd
 				clusterRoleBinding,
 				metav1.CreateOptions{},
 			); err != nil {
+				// (Create returns a non-nil object even on error, but the
+				// code after the poll uses `crbResult != nil` to
+				// determine success.)
+				crbResult = nil
 				if apierrors.IsForbidden(err) {
 					// If it encounters a forbidden error this means that the API server was reached
 					// but the CRB is missing - i.e. the admin.conf user does not have permissions
 					// to create its own permission RBAC yet.
-					//
-					// When a "create" call is made, but the resource is forbidden, a non-nil
-					// CRB will still be returned. Return true here, but update "crbResult" to nil,
-					// to ensure that the process continues with super-admin.conf.
-					crbResult = nil
 					return true, nil
 				} else if apierrors.IsAlreadyExists(err) {
 					// If the CRB exists it means the admin.conf already has the right