Bug 1393455

Summary: system:router clusterrole cannot get namespaces
Product: OpenShift Container Platform Reporter: Steven Walter <stwalter>
Component: NetworkingAssignee: Ben Bennett <bbennett>
Networking sub component: router QA Contact: zhaozhanqi <zzhao>
Status: CLOSED NOTABUG Docs Contact:
Severity: low    
Priority: low CC: andcosta, aos-bugs, javier.ramirez, rhowe
Version: 3.3.0Keywords: Reopened
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-12-10 17:26:38 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Steven Walter 2016-11-09 15:20:55 UTC 
Description of problem:
Currently, the system:router clusterrole cannot list namespaces. As per our docs and per upstream bug (https://bugzilla.redhat.com/show_bug.cgi?id=1332510) this IS expected behavior and for using NAMESPACE_LABELS one should simply add the cluster-reader role to the router service account. Customer believes this to be sub-optimal; it seems there are no real reasons to not include listing namespaces in the clusterrole fro system:router. If there are security issues, are these not still issues when using router sharding? If there are not security issues, why not allow router to see namespaces by default?

Version-Release number of selected component (if applicable):
OSCP 3.3.0

As already mentioned, this is also addressed to some extent in the OpenShift Origin bz here:

https://bugzilla.redhat.com/show_bug.cgi?id=1332510
Comment 2 Ben Bennett 2016-11-09 16:01:53 UTC 
Anyone who can list the namespaces can find out all of the other project names in the system.  In general we give the minimal set of privileges out, and let the admin decide whether they want to give out additional privileges to enable features.

So, if you want to allow sharding by namespace you need to allow listing namespaces.  But in general we don't want to make that a base router requirement.
Comment 5 Ryan Howe 2016-11-25 17:25:12 UTC 
I see this being a documentation change describing how to create role for router sharding or adding a cluster role that gets bootstrapped that would be used for router sharding.   


1. Document creating the role

# oc create -f - <<EOF
apiVersion: v1
kind: ClusterRole
metadata:
  creationTimestamp: null
  name: namespace-reader
rules:
- apiGroups:
  - ""
  attributeRestrictions: null
  resources:
  - namespaces
  - namespaces/status  
  verbs:
  - get
  - list
  - watch
EOF


# oc adm policy add-cluster-role-to-group namespace-reader system:routers

2. Or we would bootstrap the cluster role and just have the user run add role to group command. 

https://github.com/openshift/origin/blob/master/pkg/cmd/server/bootstrappolicy/policy.go
Comment 6 Javier Ramirez 2017-09-21 06:50:38 UTC 
Customer confirmed that approach provided by Ryan on comment #5 worked perfectly, but would like this new ClusterRole to be included by default:

~~~
Yes, what we would like to finally achieve in this case is that the role suggested by your colleague at this case is included by default in Open Shift and that router deployment docs (and tests) is updated to use it instead of cluster-reader.
~~~
Comment 9 Ryan Howe 2018-12-10 17:26:38 UTC 
The router is now added to cluster reader by the installer. 

https://github.com/openshift/openshift-ansible/blob/release-3.9/roles/openshift_hosted/tasks/router.yml#L76-L83


The docs also state that when using router sharding that the router should be added to the cluster-reader role.

https://docs.openshift.com/container-platform/3.11/install_config/router/default_haproxy_router.html#using-router-shards