Bug 1805833

Summary: Excessive permissions for prometheus-operator cluster-role
Product: OpenShift Container Platform Reporter: Sergiusz Urbaniak <surbania>
Component: MonitoringAssignee: Paul Gier <pgier>
Status: CLOSED ERRATA QA Contact: Junqi Zhao <juzhao>
Severity: low Docs Contact:
Priority: unspecified    
Version: 4.3.0CC: alegrand, anpicker, erooth, fbranczy, juzhao, kakkoyun, lcosic, mloibl, pkrupa, rsandu, sgarciam, surbania, vlaad
Target Milestone: ---   
Target Release: 4.3.z   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1795538 Environment:
Last Closed: 2020-04-20 17:08:56 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1795538    
Bug Blocks:    

Comment 2 Paul Gier 2020-04-06 21:44:18 UTC 
I created a PR for openshift/prometheus-operator, however, it looks like the release-4.3 branch of cluster-monitoring-operator is pointing to the jsonnet content of the upstream release-0.34 branch.  Do we want to backport this patch upstream, or should cluster-monitoring-operator point at the downstream prometheus-operator branch?
Comment 8 Junqi Zhao 2020-04-15 05:45:57 UTC 
issue is fixed with 4.3.0-0.nightly-2020-04-13-190424, verification steps:
grant cluster-reader role to user

# oc adm policy add-cluster-role-to-user cluster-reader testuser-11

# oc login with the user to the cluster and check
# check the crd oauths.config.openshift.io before deletion
$ oc get crd oauths.config.openshift.io
NAME                         CREATED AT
oauths.config.openshift.io   2020-04-15T01:55:37Z

$ oc describe sa -n openshift-monitoring prometheus-operator
Name:                prometheus-operator
Namespace:           openshift-monitoring
Labels:              app.kubernetes.io/component=controller
                     app.kubernetes.io/name=prometheus-operator
                     app.kubernetes.io/version=v0.34.1
Annotations:         <none>
Image pull secrets:  prometheus-operator-dockercfg-v5nb9
Mountable secrets:   prometheus-operator-token-q4k9f
                     prometheus-operator-dockercfg-v5nb9
Tokens:              <none>
Events:              <none>


$ token=$(oc -n openshift-monitoring get secret prometheus-operator-token-q4k9f -ojsonpath="{.data.token}" | base64 -d)
Error from server (Forbidden): secrets "prometheus-operator-token-q4k9f" is forbidden: User "testuser-11" cannot get resource "secrets" in API group "" in the namespace "openshift-monitoring"

$ oc --token=$token delete crd oauths.config.openshift.io
Error from server (Forbidden): customresourcedefinitions.apiextensions.k8s.io "oauths.config.openshift.io" is forbidden: User "testuser-11" cannot delete resource "customresourcedefinitions" in API group "apiextensions.k8s.io" at the cluster scope
Comment 10 errata-xmlrpc 2020-04-20 17:08:56 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:1482