handle case where plugin is configured to think the oauth apiserver i…

…s not present but is still enabled Signed-off-by: Bryce Palmer <[email protected]>
openshift · Jan 23, 2025 · 5bcbdbb · 5bcbdbb
1 parent 476016e
commit 5bcbdbb
Showing 1 changed file with 5 additions and 0 deletions.
diff --git a/openshift-kube-apiserver/admission/authorization/restrictusers/restrictusers.go b/openshift-kube-apiserver/admission/authorization/restrictusers/restrictusers.go
@@ -172,6 +172,11 @@ func subjectsDelta(elementsToIgnore, elements []rbac.Subject) []rbac.Subject {
 // each subject in the binding must be matched by some rolebinding restriction
 // in the namespace.
 func (q *restrictUsersAdmission) Validate(ctx context.Context, a admission.Attributes, _ admission.ObjectInterfaces) (err error) {
+	if q.oauthState == v1alpha1.OpenShiftOAuthStateNotDesired {
+		klog.V(2).Info("admission plugin authorization.openshift.io/RestrictSubjectBindings is configured to act as if the OpenShift oauth-apiserver is not present. This admission plugin relies on the OpenShift oauth-apiserver to function as expected and should be disabled when it is not present. Acting as if disabled and not enforcing subject bindings.")
+		return nil
+	}
+
 	// We only care about rolebindings
 	if a.GetResource().GroupResource() != rbac.Resource("rolebindings") {
 		return nil