| Summary: | [platformmanagement_public_649] The API will not return the allowed message when sent PodSecurityPolicyReview with specific serviceaccount | ||
|---|---|---|---|
| Product: | OKD | Reporter: | weiwei jiang <wjiang> |
| Component: | Master | Assignee: | Maciej Szulik <maszulik> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Chuan Yu <chuyu> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 3.x | CC: | aos-bugs, chuyu, mfojtik, mmccomas, wsun |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-12-09 21:51:18 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
To keep consistent with other SAR endpoints a user needs to specify both user and groups to get reasonable information back. [1] explicitly states you need to specify both to get proper answer in the light of username and the groups he's in. [1] https://github.com/openshift/origin/blob/125ed10fa7103f46c5aa1593210ca0e1d417ea4b/pkg/security/api/types.go#L27-L29 I'm moving this back to ON_QA. To properly verify which SCC are applied you first need to assign SCC to SA, eg.: oadm policy add-scc-to-user restricted system:serviceaccount:<project name>:default and then invoke the curl to PSPR which should return that information. By default, the default SA contains only the secrets and tokens to pull images. When specify both user and groups, could get reasonable information back. |
Description of problem: when send api to post PodSecurityPolicyReview with specific serviceaccount which have been granted as admin for the namespace, got "status": { "allowedServiceAccounts": null } Version-Release number of selected component (if applicable): devenv-rhel7_5161 How reproducible: wjiang Steps to Reproduce: 1. Grant serviceaccount default as admin for the namespace 2. Send api to post PodSecurityPolicyReview { "kind": "PodSecurityPolicyReview", "apiVersion": "v1", "metadata": { "name": "pspsr" }, "spec": { "template": { "spec": { "containers": [ { "name": "hello-openshift", "image": "aosqe/hello-openshift", "ports": [ { "containerPort": 8080, "protocol": "TCP" } ], "resources": { }, "volumeMounts": [ { "name": "tmp", "mountPath": "/tmp" } ], "terminationMessagePath": "/dev/termination-log", "imagePullPolicy": "IfNotPresent", "securityContext": { "capabilities": { }, "privileged": false } } ], "volumes": [ { "name": "tmp", "emptyDir": { } } ], "restartPolicy": "Always", "dnsPolicy": "ClusterFirst", "serviceAccountName": "default" } }, "serviceAccountNames": [ "default" ] }, "status": { } } curl -k -H "Authorization: Bearer `oc whoami -t`" "https://localhost:8443/oapi/v1/namespaces/wjiang/podsecuritypolicyreviews" -X POST -d @pspsr -H "Content-Type: application/json" 3. Check the return json Actual results: { "kind": "PodSecurityPolicyReview", "apiVersion": "v1", "spec": { "template": { "metadata": { "creationTimestamp": null }, "spec": { "volumes": [ { "name": "tmp", "emptyDir": {} } ], "containers": [ { "name": "hello-openshift", "image": "aosqe/hello-openshift", "ports": [ { "containerPort": 8080, "protocol": "TCP" } ], "resources": {}, "volumeMounts": [ { "name": "tmp", "mountPath": "/tmp" } ], "terminationMessagePath": "/dev/termination-log", "imagePullPolicy": "IfNotPresent", "securityContext": { "capabilities": {}, "privileged": false } } ], "restartPolicy": "Always", "terminationGracePeriodSeconds": 30, "dnsPolicy": "ClusterFirst", "serviceAccountName": "default", "serviceAccount": "default", "securityContext": {} } }, "serviceAccountNames": [ "default" ] }, "status": { "allowedServiceAccounts": null } } Expected results: The serviceaccount default should be in the allowedServiceAccounts list. Additional info: