Bug 1690848
| Summary: | The cluster user cannot use the resources provided by the operators | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Jian Zhang <jiazha> |
| Component: | OLM | Assignee: | Evan Cordell <ecordell> |
| Status: | CLOSED ERRATA | QA Contact: | Jian Zhang <jiazha> |
| Severity: | urgent | Docs Contact: | |
| Priority: | high | ||
| Version: | 4.1.0 | CC: | chezhang, dyan, jfan, jforrest, zitang |
| Target Milestone: | --- | ||
| Target Release: | 4.1.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-06-04 10:46:13 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Jian Zhang
2019-03-20 10:50:34 UTC
The issue result from missed user in rolebinding, add: " apiGroup: rbac.authorization.k8s.io kind: User name: pm1 " and this problem also appears with prometheus, couchbase operator also, couchbaseclusters.couchbase.com is forbidden: User "pm5" cannot list resource "couchbaseclusters" in API group "couchbase.com" in the namespace "lgpm" prometheuses.monitoring.coreos.com is forbidden: User "pm5" cannot list resource "prometheuses" in API group "monitoring.coreos.com" in the namespace "lgpm" I'm reassigning this to the OLM team, its not specific to the etcd operator. It sounds like we are not automatically aggregating permissions to the project admin and project editor roles when we make the operator available within a namespace. Jessica, > It sounds like we are not automatically aggregating permissions to the project admin and project editor roles when we make the operator available within a namespace. Yes, based on my understanding, the root cause is here: Now, the etcd-operator(prometheus, couchbase, etc.) CSV used the permission[1] field, not the clusterpermissions. So, the OLM couldn't aggregate these permissions to the ClusterRole "admin" automatically. Hence, the project owner cannot manage these resources since the admin rolebinding referenced the ClusterRole "admin". [1]: https://github.com/operator-framework/community-operators/blob/master/community-operators/etcd/etcdoperator.v0.9.2.clusterserviceversion.yaml#L146 LGTM, verify it. 1, Login the cluster as the common user and create a project called "jian". 2, Login the cluster as the cluster-admin user and install the etcd-operator in project "jian". 3, The common user create the etcdCluster resource. Looks good to me, as below: mac:~ jianzhang$ oc whoami pm1 mac:~ jianzhang$ oc get etcdcluster NAME AGE example 40s mac:~ jianzhang$ oc get pods NAME READY STATUS RESTARTS AGE etcd-operator-ffc975954-s8n2j 3/3 Running 0 8m51s example-jkh7h74prq 0/1 Init:0/1 0 8s example-lwmk5jm2dr 1/1 Running 0 32s mac:~ jianzhang$ oc delete etcdcluster example etcdcluster.etcd.database.coreos.com "example" deleted mac:~ jianzhang$ oc get etcdcluster No resources found. mac:~ jianzhang$ oc get pods NAME READY STATUS RESTARTS AGE example-lwmk5jm2dr 0/1 Terminating 0 65m OLM version: io.openshift.build.commit.id=c718ec855bb26a111d66ba2ba193d30e54f7feb1 Cluster version is 4.1.0-0.nightly-2019-04-22-005054 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:0758 |