Bug 1449025

Summary: [dedicated] dedicated-cluster-admin needs to have an ability to edit EgressNetworkPolicy
Product: OpenShift Online Reporter: Kenjiro Nakayama <knakayam>
Component: Accounts and BillingAssignee: Abhishek Gupta <abhgupta>
Status: CLOSED CURRENTRELEASE QA Contact: Bing Li <bingli>
Severity: high Docs Contact:
Priority: medium    
Version: 3.xCC: abhgupta, aos-bugs, bbennett, bleanhar, chuyu, eparis, joelsmith, jokerman, mmccomas, xtian, yasun, yufchang
Target Milestone: ---Flags: joelsmith: needinfo+
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-11-09 18:49:36 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Kenjiro Nakayama 2017-05-09 05:46:48 UTC 
Description of problem:
---
- The dedicated-cluster-admin cannot create/view EgressNetworkPolicy.
- Dedicated docs obviously describes that it is available for dedicated users.

  https://docs.openshift.com/dedicated/admin_guide/limit_pod_access_egress.html
  "As an OpenShift Dedicated cluster administrator, you can use egress policy to limit the addresses that some or all pods can access from within the cluster, so that:"

Version-Release number of selected component (if applicable):
---
- OpenShift Dedicated

Steps to Reproduce:
---
1. Run "oc get egressnetworkpolicy" or create an egressnetworkpolicy.

Actual results:
---
  $ oc get egressnetworkpolicy 
  No resources found.
  Error from server: User "<DEDICATED_CLUSTER_ADMIN>" cannot list egressnetworkpolicies in project "<PROJECT_NAME>"

Expected results:
---
- Possible to create/view/edit the egressnetworkpolicy as describe in the docs.

Additional info:
---
- Dedicate uses ovs-multitenant plug-in? This is also mentioned in the docs as possible plugin https://docs.openshift.com/dedicated/architecture/additional_concepts/sdn.html
Comment 1 Ben Bennett 2017-05-09 13:32:25 UTC 
Abhishek: If you decide that dedicated admins should be allowed to do this, and I can't think of any reason why they ought not to, then you need to grant permission to the dedicated admins to create, edit, and delete EgressNetworkPolicy objects.
Comment 2 Abhishek Gupta 2017-05-09 15:13:33 UTC 
Joel: Are you fine with granting this access to dedicated admins?
Comment 3 Kenjiro Nakayama 2017-05-12 00:20:02 UTC 
Hi, please handle this issue as a bug. As I pointed, the dedicated docs obviously mentioned that egree policy is available and the customer expects the feature.

  https://docs.openshift.com/dedicated/admin_guide/limit_pod_access_egress.html
  "As an OpenShift Dedicated cluster administrator, you can use egress policy to limit the addresses that some or all pods can access from within the cluster, so that:"
Comment 8 Joel Smith 2017-05-22 14:55:07 UTC 
Sorry, somehow I missed comment #2. Yes, this seems fine to me.
Comment 10 Bing Li 2017-07-05 09:10:21 UTC 
Verified in ded-stage-aws(openshift-scripts-dedicated-3.5.1.51-1.git.0.a7c2b4a.el7.x86_64
):
OpenShift Master:  v3.5.5.26
Kubernetes Master: v1.5.2+43a9be4

[root@ded-stage-aws-master-90bc4 ~]# oc get clusterrole dedicated-project-admin -o yaml
apiVersion: v1
kind: ClusterRole
metadata:
  annotations:
    authorization.openshift.io/system-only: "true"
  creationTimestamp: 2017-06-29T23:06:53Z
  name: dedicated-project-admin
  resourceVersion: "2804"
  selfLink: /oapi/v1/clusterroles/dedicated-project-admin
  uid: a41bf9ac-5d1f-11e7-aa22-0ed098d7ac88
rules:
......
- apiGroups:
  - ""
  attributeRestrictions: null
  resources:
  - egressnetworkpolicies
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
......
[root@ded-stage-aws-master-90bc4 ~]#

Move to verified.
Comment 11 Kenjiro Nakayama 2017-08-18 07:02:30 UTC 
@Abhishek

today, the original customer reported that he still cannot view/edit the egressnetworkpolicy after their cluster's update to 3.5.5.31. Could you please confirm if operation team has applied the role to existing clusters?
Comment 13 Kenjiro Nakayama 2017-08-21 00:35:22 UTC 
Bump @Brenton for c#11