Bug 1564269

Summary: add list istags at cluster scope to dedicated-admin role in openshift dedicated.
Product: OpenShift Online Reporter: Brian Cook <bcook>
Component: RFEAssignee: Abhishek Gupta <abhgupta>
Status: CLOSED CURRENTRELEASE QA Contact: yasun
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 3.xCC: aos-bugs, jokerman, mmccomas, peasters, wgordon
Target Milestone: ---Keywords: OnlineDedicated, TestCaseNeeded
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-05-29 14:12:51 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Brian Cook 2018-04-05 20:58:58 UTC 
Description of problem:

We need permission to list / watch imagestream tags at cluster scope for dedicated-admin role in order to trigger certification scans.


Version-Release number of selected component (if applicable):


How reproducible:
always

Steps to Reproduce:
1. try to list istags for cluster
2. 
3.

Actual results:
get told that user cannot list istags for entire cluster.

Expected results:
successfully list istags for entire cluster.

Additional info:
Comment 1 Patrick Easters 2018-04-16 16:53:18 UTC 
Per request of Will, I'm also noting here that we'd like the ability to view these resources at a cluster level as well:
builds
buildconfigs

We've sufficiently worked around the need for is/istags, but cluster-wide GET access for builds would be great.
Comment 4 Bing Li 2018-04-19 09:53:45 UTC 
Verified this bug on OCP 3.9: 

user will be able to check the images/imagestreamtags/builds/buildconfigs at cluster scope after granted the "dedicated-cluster-admin" clusterrole:

Before granted "dedicated-cluster-admin":

$ oc get imagestreamtags --all-namespaces 
Error from server (Forbidden): imagestreamtags.image.openshift.io is forbidden: User "bingli" cannot list imagestreamtags.image.openshift.io at the cluster scope: User "bingli" cannot list all imagestreamtags.image.openshift.io in the cluster

$ oc get image --all-namespaces 
Error from server (Forbidden): images.image.openshift.io is forbidden: User "bingli" cannot list images.image.openshift.io at the cluster scope: User "bingli" cannot list all images.image.openshift.io in the cluster

$ oc get build --all-namespaces 
Error from server (Forbidden): builds.build.openshift.io is forbidden: User "bingli" cannot list builds.build.openshift.io at the cluster scope: User "bingli" cannot list all builds.build.openshift.io in the cluster

$ oc get bc --all-namespaces 
Error from server (Forbidden): buildconfigs.build.openshift.io is forbidden: User "bingli" cannot list buildconfigs.build.openshift.io at the cluster scope: User "bingli" cannot list all buildconfigs.build.openshift.io in the cluster


After granted "dedicated-cluster-admin":

# oc adm policy add-cluster-role-to-user dedicated-cluster-admin bingli
cluster role "dedicated-cluster-admin" added: "bingli"

$ oc get imagestreamtags --all-namespaces | wc -l
138
$ oc get image --all-namespaces | wc -l
122
$ oc get build --all-namespaces | wc -l
2
$ oc get bc --all-namespaces | wc -l
2
Comment 5 Will Gordon 2018-04-19 13:13:04 UTC 
Hello Bing Li,

Would you please verify this against a 3.7 cluster as well?

Thank you!
Comment 6 Bing Li 2018-04-20 03:20:31 UTC 
Verified on OCP 3.7:

User can be able to get images/imagestreamtags/builds/buildconfigs at cluster scope after granted the "dedicated-cluster-admin" clusterrole:

$ oc get imagestreamtags --all-namespaces | wc -l
130
$ oc get image --all-namespaces | wc -l
$ oc get build --all-namespaces | wc -l
5
$ oc get bc --all-namespaces | wc -l
5