Cause: In Overview, we are consuming sidebar resources via extension utils and first check is if knative CRDs are present then check is based on the key as in knative specific resources "configurations" and in current code, issue was even if knative resources were not present but utils returned { configurations: [] }. The non-admin user won't even be able to view workloads under-console as firehose fetches knative specific resources and results in 403
Consequence: For kubeadmin in case of normal deployments and as in sidebar it identifies configurations and knative operator is installed so treated it as knative resource i.e configurations, Revisions, routes. For the non-admin user, it shows Permission issue if user tries to view workloads in console
Fix: with added check in case of no configurations found will return undefined, so will not add any knative specific resources in overviewitems. For fetching resources via firehose add key "option:true" to make it non required
Result: Overview sidebar resources work as expected in case of normal deployment and knative specific deployment. A non-admin user can view the workloads.
DescriptionJaivardhan Kumar
2019-10-04 16:13:03 UTC
Created attachment 1622598[details]
Showing restricted access on console workloads
Description of problem:
Non project admin uer i.e normal httpd user won't be able to view workloads under console when knative serverless tech preview 1 operator is installed. Sidebar resources list resources as per kknative resource. Even though the deployment selected in the workloads view is not a knative workload, the sidebar is showing the resource list for knative resources.
Version-Release number of selected component (if applicable):4.2
How reproducible:
1. Install knative serverless TP1 operator (1.0.0), follow https://docs.openshift.com/container-platform/4.1/serverless/installing-openshift-serverless.html
1. create a non-admin user i.e normal httpd user
2. This can be observed by going to the openshift-console project -> workloads tab
Steps to Reproduce:
1. Create a non admin user i.e normal httpd user
2. This can be observed by going to the openshift-console project -> workloads tab
3. If logged in as "kubeadmin" can see deployments and Then click on the first deployment.
Actual results:
1. Workloads will show restricted access if logged in via non-admin user.
2. Selection of deployments on workloads will show incorrect resources if logged in with kubeadmin
Expected results:
1. Workloads should list deploymets if logged in via non-admin user.
2. Selection of deployments on workloads will show correct resources if logged in with kubeadmin
Additional info:
Setting the target release to 4.3.0, since we try to fix things in master first and 4.3 is where master is currently pointing. Once this gets addressed there it can be cloned back to 4.2.z if that seems appropriate.
Comment 2spathak@redhat.com
2019-10-09 14:07:51 UTC
I've verified the following scenario:
1. I installed knative tp1 and logged in as a non-admin
2. I went openshift-console project -> workloads tab
3. I was able to see deployments and in the deployments able to see routes also.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHBA-2020:0062