Bug 1625149
| Summary: | [olm] should not grants the "cluster-admin" role to "olm-operator-serviceaccount" | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Jian Zhang <jiazha> |
| Component: | OLM | Assignee: | Evan Cordell <ecordell> |
| Status: | CLOSED ERRATA | QA Contact: | Jian Zhang <jiazha> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 3.11.0 | ||
| Target Milestone: | --- | ||
| Target Release: | 3.11.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2018-10-11 07:25:55 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Jian Zhang
2018-09-04 09:00:47 UTC
OLM creates new API groups and needs to grant access to those API groups (e.g. adding them to the aggregated view and edit roles). I don't know of a role we could construct that would allow OLM to do this without cluster-admin. For example: - User installs OLM - User uses OLM to install Etcd Operator - OLM installs EtcdCluster CRD - OLM needs to create an aggregated role for Group: "etcd.database.coreos.com/v1beta2", kind: "EtcdCluster" - In order to create the Role it must have a superset of those permissions, but it can't because OLM doesn't know ahead of time what kinds a user will register via OLM. - The only solution I know of is to grant access to all groups. OLM is a controller over the api layer, much like the aggregation controller: https://github.com/kubernetes/kubernetes/blob/7f23a743e8c23ac6489340bbb34fa6f1d392db9d/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go#L81-L88 (it is also granted * *) To fall in line with the boostrapped policy convention, I've added a ClusterRole for olm which explicitly states that it needs that permission. I'll update here when that change is merged. Haven't fix yet. This is fixed here: https://github.com/openshift/openshift-ansible/pull/9949 not merged yet The fix is merged. LGTM, verify it. [root@qe-juzhao-311-gce-1-master-etcd-1 ~]# oc get clusterrolebinding olm-operator-binding-operator-lifecycle-manager -o yaml apiVersion: authorization.openshift.io/v1 groupNames: null kind: ClusterRoleBinding metadata: creationTimestamp: 2018-09-11T03:29:24Z name: olm-operator-binding-operator-lifecycle-manager resourceVersion: "41478" selfLink: /apis/authorization.openshift.io/v1/clusterrolebindings/olm-operator-binding-operator-lifecycle-manager uid: e11efebd-b572-11e8-b1e8-42010af0000c roleRef: name: system:controller:operator-lifecycle-manager subjects: - kind: ServiceAccount name: olm-operator-serviceaccount namespace: operator-lifecycle-manager userNames: - system:serviceaccount:operator-lifecycle-manager:olm-operator-serviceaccount [root@qe-juzhao-311-gce-1-master-etcd-1 ~]# oc get clusterrole system:controller:operator-lifecycle-manager -o yaml apiVersion: authorization.openshift.io/v1 kind: ClusterRole metadata: creationTimestamp: 2018-09-11T03:29:20Z name: system:controller:operator-lifecycle-manager resourceVersion: "41470" selfLink: /apis/authorization.openshift.io/v1/clusterroles/system%3Acontroller%3Aoperator-lifecycle-manager uid: df1c9f4e-b572-11e8-b1e8-42010af0000c rules: - apiGroups: - '*' attributeRestrictions: null resources: - '*' verbs: - '*' - apiGroups: null attributeRestrictions: null nonResourceURLs: - '*' resources: [] verbs: - '*' Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:2652 |