Bug 1555363

Summary: Project admin could create daemonsets in its namespace
Product: OpenShift Container Platform Reporter: Tomáš Nožička <tnozicka>
Component: apiserver-authAssignee: Simo Sorce <ssorce>
Status: CLOSED NOTABUG QA Contact: Chuan Yu <chuyu>
Severity: high Docs Contact:
Priority: urgent    
Version: 3.10.0CC: aos-bugs, chuyu, deads, jokerman, mfojtik, mkhan, mmccomas, ssorce, tnozicka, weinliu
Target Milestone: ---Keywords: Regression
Target Release: 3.10.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
undefined
 Story Points: ---
Clone Of: 1536304 Environment:
Last Closed: 2018-05-04 12:42:47 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Comment 1 Tomáš Nožička 2018-03-14 14:45:31 UTC 
https://github.com/openshift/origin/pull/18971
Comment 2 Chuan Yu 2018-03-28 06:15:56 UTC 
Verified.
# openshift version
openshift v3.10.0-0.14.0
kubernetes v1.9.1+a0ce1bc657
etcd 3.2.16
Comment 3 Chuan Yu 2018-04-23 09:21:37 UTC 
The issue present again,

# openshift version
openshift v3.10.0-0.27.0
kubernetes v1.10.0+b81c8f8
etcd 3.2.16
Comment 4 Mo 2018-04-23 14:45:10 UTC 
David, where do we stand on this now?  I believe we are carrying a patch on the DS controller to make it a non issue?
Comment 5 David Eads 2018-04-23 17:58:04 UTC 
https://github.com/openshift/ose/pull/1205 merged, so the controller doesn't create pods it knows will be rejected.  "fixing" the default role to disallow the creation of a daemonset was a bug.
Comment 6 Simo Sorce 2018-04-23 18:33:25 UTC 
Setting to modified to indicate it should be fixed as David mentioned
Comment 7 Mo 2018-05-04 12:42:47 UTC 
Per David Eads in https://bugzilla.redhat.com/show_bug.cgi?id=1555363#c5:

> https://github.com/openshift/ose/pull/1205 merged, so the controller doesn't
> create pods it knows will be rejected.  "fixing" the default role to
> disallow the creation of a daemonset was a bug.

The change is merged as of v3.9.26-1

This readds the deamonset permission as it is safe for normal users to have.  Thus this is the expected behavior.