Cause: in 4.x on import of image from other namespace for which user has edit access, rolebindings needed for image-puller rights are created on the namespace user is trying to import from and this fails as user don't have admin privileges to the namespace trying to import image from.
Consequence: Self-provisioner user is unable to import image from other Project for which they have edit access
Fix: Created rolebindings required for image-puller rights un the namespace user want's to import to.
In 4.x we have added ability to automatically grant image-puller rights in the namespace unlike 3.x where user will be executing a `oc` command to give the permission
Result: User can import/run an image from other Project if has edit access
DescriptionMiguel Figueiredo Nunes
2020-06-02 19:58:03 UTC
Description of problem:
Customer unable to retrieve an image from another project using serviceaccounts in the Web UI
Version-Release number of selected component (if applicable):
4.x
How reproducible:
All times
Steps to Reproduce:
1. Create an user and give him only edit, deployer or image-puller rights
2. Execute the procedures in this document:
https://docs.openshift.com/container-platform/4.3/openshift_images/managing_images/using-image-pull-secrets.html#images-allow-pods-to-reference-images-across-projects_using-image-pull-secrets
3. Try to create a new deploy getting an image from another project (project-a)
Actual results:
On Deploy Image->Image stream tag from internal registry, I got the message:
"Service account default does not have authority to pull images from project-b. Select another project to continue."
Expected results:
Be able to run an image from another project, since the necessary permissions were set based in the document referred above
Additional info:
This same process worked for the customer in the 3.x version. The customer is migrating his projects from the 3.x to 4.x
We are also having this issue. Did the following procedure above on a 4.3.8 cluster and assigned a user the "edit" role into another project. When the user enters the web console and tries to use the deploy an image from an internal registry they get the same "Service account default does not have authority to pull images from other_project. Select another project to continue" message. When the role of the user is changed to the admin role, it works fine, but anything below admin (basic-user, deployer, etc) fails.
Comment 9spathak@redhat.com
2020-09-09 14:14:36 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHBA-2020:4196