Bug 1886888

Summary: user with clusterrole full rights on deployments/scale cannot scale pod using the console
Product: OpenShift Container Platform Reporter: German Parente <gparente>
Component: Dev ConsoleAssignee: cvogt
Status: CLOSED DUPLICATE QA Contact:
Severity: medium Docs Contact: Rishu Mehra <rmehra>
Priority: medium    
Version: 4.5CC: aballant, aos-bugs, cjerolim, msaud, nmukherj, rmehra, sbudhwar, scuppett
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Known Issue
Doc Text:
In {product-title} 4.9, a user with scale permissions cannot scale a deployment or deployment config using the console if they do not have edit rights to the deployment or deployment config. This will be resolved in a future release. (link:https://bugzilla.redhat.com/show_bug.cgi?id=1886888[BZ#1886888])
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-03-04 16:30:51 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description German Parente 2020-10-09 16:19:40 UTC
Description of problem:

- create a user.

- create a cluster role like this:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  creationTimestamp: "2020-10-09T15:13:20Z"
  managedFields:
  - apiVersion: rbac.authorization.k8s.io/v1
    fieldsType: FieldsV1
    fieldsV1:
      f:rules: {}
    manager: oc
    operation: Update
    time: "2020-10-09T15:37:44Z"
  name: scale
  resourceVersion: "60514"
  selfLink: /apis/rbac.authorization.k8s.io/v1/clusterroles/scale
  uid: 36bc20fe-c654-4431-8a9b-9b7db96a473a
rules:
- apiGroups:
  - apps
  - apps.openshift.io
  resources:
  - configmaps
  - deploymentconfigs/scale
  - deployments/scale
  - replicationcontrollers/scale
  verbs:
  - get
  - list
  - watch
  - create
  - update
  - patch
  - delete

- create a rolebinding like this:


apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  creationTimestamp: "2020-10-09T15:20:36Z"
  managedFields:
  - apiVersion: rbac.authorization.k8s.io/v1
    fieldsType: FieldsV1
    fieldsV1:
      f:roleRef:
        f:apiGroup: {}
        f:kind: {}
        f:name: {}
      f:subjects: {}
    manager: Mozilla
    operation: Update
    time: "2020-10-09T15:20:36Z"
  name: scalebinding
  resourceVersion: "55475"
  selfLink: /apis/rbac.authorization.k8s.io/v1/clusterrolebindings/scalebinding
  uid: 44e210a1-1b14-4f0c-961f-9414736d0eaf
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: scale
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: gparente

- login as user

- scale deployment:

oc -n test scale deployment.apps/ruby-ex --replicas=3
deployment.apps/ruby-ex scaled

- try to scale using the console does not work

- we have to add to the clusterrole the deployments resource but that gives full access on the resource.

So. the workaroud is to edit the cluster role and add:


  resources:
  ...
  - deployments
  ...



Version-Release number of selected component (if applicable): 4.5


How reproducible: always

Comment 1 Stephen Cuppett 2020-10-09 16:55:45 UTC
Setting target release to the active development branch (4.7.0). For any fixes, where required and requested, cloned BZs will be created for those release maintenance streams where appropriate once they are identified.

Comment 6 Andrew Ballantyne 2020-10-23 17:35:32 UTC
Jira ticket for planning purposes: https://issues.redhat.com/browse/ODC-5042

Comment 7 Andrew Ballantyne 2021-01-13 18:34:35 UTC
Pushing to 4.8 as we lack the bandwidth to address this in 4.7.

Comment 8 Rishu Mehra 2021-02-19 15:51:29 UTC
Updated the doc text filed.