RestrictUsersAdmission: allow service account with implicit namespace

[Miciah]

Allow role binding restrictions to match and allow a service account subject with an implicit namespace, which is inferred to be the namespace of the role binding.

The use-case for this change is that an application template should be able to specify a role binding with a service account as the subject, without hard-coding the namespace in the template or requiring the user to specify the namespace as a parameter. In this scenario, the subject's namespace gets defaulted to the role binding's namespace, but only after the admission control plug-in executes; the subject that the plug-in sees is a service account with no namespace specified, so RestrictUsersAdmission should infer the namespace to be that the one which will be defaulted later.

---

Related to https://bugzilla.redhat.com/show_bug.cgi?id=1439065.

---

openshift-bot, please [test]!

@deads2k, please review!

@abhgupta, FYI.

[openshift-bot]

Evaluated for origin test up to 8d8b3e4

[openshift-bot]

continuous-integration/openshift-jenkins/test SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pull_request_origin/593/) (Base Commit: 83e3250)

[openshift-bot]

continuous-integration/openshift-jenkins/test SUCCESS (https://ci.openshift.redhat.com/jenkins/job/test_pull_request_origin/593/) (Base Commit: 83e3250)

[Miciah]

@liggitt, could you review this?

[liggitt]

lgtm [merge]

[Miciah]

Flake #13662:

[INFO] Validating exec
Running test/end-to-end/core.sh:463: executing 'oc exec -p frontend-1-jt6jq id' expecting success and text '1000'...
Connection to 172.18.10.71 closed by remote host.
++ export status=FAILURE
++ status=FAILURE
+ set +o xtrace
########## FINISHED STAGE: FAILURE: RUN INTEGRATION TESTS ##########

https://ci.openshift.redhat.com/jenkins/job/test_pull_request_origin_integration/884/consoleFull

Failure during provisioning:

TASK [validate-masters : Validate the public address] **************************
Thursday 06 April 2017  22:05:30 +0000 (0:00:00.032)       0:16:57.418 ******** 
FAILED - RETRYING: TASK: validate-masters : Validate the public address (3 retries left).
FAILED - RETRYING: TASK: validate-masters : Validate the public address (2 retries left).
FAILED - RETRYING: TASK: validate-masters : Validate the public address (1 retries left).
fatal: [ci-prtest-5a37c28-828-ig-m-0fbl]: FAILED! => {"attempts": 3, "changed": false, "content": "", "failed": true, "msg": "Status code was not [200]: An unknown error occurred: ''", "redirected": false, "status": -1, "url": "https://api.prtest-5a37c28-828.origin-ci-int-gce.dev.rhcloud.com:443/healthz/ready"}

https://ci.openshift.redhat.com/jenkins/job/test_pull_request_origin_extended_conformance_gce/828/consoleFull

[Miciah]

The second failure could be #13470, although there it's "Request failed: <urlopen error [Errno -2] Name or service not known>" whereas here it's "An unknown error occurred: ''".

[stevekuznetsov]

re[merge] -- queue is healthy again

[stevekuznetsov]

@openshift-bot, the last build failed from the following flakes:

• integration failed on: TestConcurrentBuildPodControllers running state test: Did not reach desired build state: Running #13650

re[merge]

[openshift-bot]

Evaluated for origin merge up to 8d8b3e4

[openshift-bot]

continuous-integration/openshift-jenkins/merge SUCCESS (https://ci.openshift.redhat.com/jenkins/job/merge_pull_request_origin/291/) (Base Commit: dbcd81b) (Image: devenv-rhel7_6128)