Bug 1684344
| Summary: | RoleBindingRestriction need move to CRD for 4.x | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Chuan Yu <chuyu> |
| Component: | apiserver-auth | Assignee: | Sally <somalley> |
| Status: | CLOSED ERRATA | QA Contact: | Chuan Yu <chuyu> |
| Severity: | high | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 4.1.0 | CC: | aos-bugs, decarr, eparis, evb, jupierce, mkhan, nagrawal, tzhou |
| Target Milestone: | --- | Keywords: | BetaBlocker, OpsBlocker, TestBlocker |
| Target Release: | 4.1.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-06-04 10:44:51 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Verified. $ oc get clusterversion NAME VERSION version 4.0.0-0.nightly-2019-03-13-233958 Since the changes reverted, https://github.com/openshift/origin/pull/22416 , re-open the issue. in progress: https://github.com/openshift/origin/pull/22534, https://github.com/openshift/cluster-config-operator/pull/32 *** Bug 1703789 has been marked as a duplicate of this bug. *** Series of PRS landing today/tomorrow in origin & cluster-config-operator to resolve, convert RBRs to CRD PRs merged, RBRs are now CRDs.
The issue originally reported in this BZ still exists, however.
1) set up htpasswd, add non-admin user testuser
2) login as testuser, create-project test
3) login as system:admin
4) create rbr:
apiVersion: authorization.openshift.io/v1
kind: RoleBindingRestriction
metadata:
name: match-users
spec:
userrestriction:
users: [""]
5) login as user testuser
6) oc policy add-role-to-user view user3
Actual results:
Add view role to user3 successfully
Expected results:
could not add role to other users, and should should report error like:
rror from server (Forbidden): rolebindings.rbac.authorization.k8s.io "view" is forbidden: rolebindings to User "user3" are not allowed in project "test"
Will be looking into this Monday.
tried again, same cluster, a day later, got the correct and expected: $ oc policy add-role-to-user view testuser2 Error from server (Forbidden): rolebindings.rbac.authorization.k8s.io "view-0" is forbidden: rolebindings to User "testuser2" are not allowed in project "test" I'll keep testing in fresh clusters. I have tried the userrestriction, it work as expected. Verified on 4.1.0-0.nightly-2019-05-06-223020 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:0758 |
Description of problem: rolebindingrestrction for 4.x not working well Version-Release number of selected component (if applicable): 4.0.0-0.nightly-2019-02-26-125216 How reproducible: always Steps to Reproduce: 1.config kubeapiserver cluster with: spec: unsupportedConfigOverrides: admissionConfig: pluginConfig: openshift.io/RestrictSubjectBindings: configuration: apiversion: v1 kind: DefaultAdmissionConfig 2.create a user restriction rolebindingrestrion for ns pm1(user pm1 is owner): apiVersion: v1 kind: RoleBindingRestriction metadata: name: match-users spec: userrestriction: users: [""] 3.try to add view role to other user by user pm1 oc policy add-role-to-user view pm3 Actual results: Add view role to other user successfully Expected results: could not add role to other users, and should should report error like: rror from server (Forbidden): rolebindings.rbac.authorization.k8s.io "view" is forbidden: rolebindings to User "pm3" are not allowed in project "pm1" Additional info: