From b18caee5dfce44d89ca5e127c035274f7ace18c7 Mon Sep 17 00:00:00 2001 From: Dan Winship Date: Sat, 20 Jan 2024 14:08:10 -0500 Subject: [PATCH] Fix EnsureAdminClusterRoleBindingImpl error handling The code assumed Create() returned nil on error, but that's only true for the fake clients in unit tests. --- cmd/kubeadm/app/phases/kubeconfig/kubeconfig.go | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/cmd/kubeadm/app/phases/kubeconfig/kubeconfig.go b/cmd/kubeadm/app/phases/kubeconfig/kubeconfig.go index 42cf8e07d72..75215e71e2b 100644 --- a/cmd/kubeadm/app/phases/kubeconfig/kubeconfig.go +++ b/cmd/kubeadm/app/phases/kubeconfig/kubeconfig.go @@ -642,15 +642,14 @@ func EnsureAdminClusterRoleBindingImpl(ctx context.Context, adminClient, superAd clusterRoleBinding, metav1.CreateOptions{}, ); err != nil { + // (Create returns a non-nil object even on error, but the + // code after the poll uses `crbResult != nil` to + // determine success.) + crbResult = nil if apierrors.IsForbidden(err) { // If it encounters a forbidden error this means that the API server was reached // but the CRB is missing - i.e. the admin.conf user does not have permissions // to create its own permission RBAC yet. - // - // When a "create" call is made, but the resource is forbidden, a non-nil - // CRB will still be returned. Return true here, but update "crbResult" to nil, - // to ensure that the process continues with super-admin.conf. - crbResult = nil return true, nil } else if apierrors.IsAlreadyExists(err) { // If the CRB exists it means the admin.conf already has the right