Bug 1886888

Summary: user with clusterrole full rights on deployments/scale cannot scale pod using the console
Product: OpenShift Container Platform Reporter: German Parente <gparente>
Component: Dev ConsoleAssignee: cvogt
Severity: medium Docs Contact: Rishu Mehra <rmehra>
Priority: medium    
Version: 4.5CC: aballant, aos-bugs, cjerolim, msaud, nmukherj, rmehra, sbudhwar, scuppett
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Fixed In Version: Doc Type: Known Issue
Doc Text:
In {product-title} 4.9, a user with scale permissions cannot scale a deployment or deployment config using the console if they do not have edit rights to the deployment or deployment config. This will be resolved in a future release. (link:https://bugzilla.redhat.com/show_bug.cgi?id=1886888[BZ#1886888])
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-03-04 16:30:51 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description German Parente 2020-10-09 16:19:40 UTC
Description of problem:

- create a user.

- create a cluster role like this:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
  creationTimestamp: "2020-10-09T15:13:20Z"
  - apiVersion: rbac.authorization.k8s.io/v1
    fieldsType: FieldsV1
      f:rules: {}
    manager: oc
    operation: Update
    time: "2020-10-09T15:37:44Z"
  name: scale
  resourceVersion: "60514"
  selfLink: /apis/rbac.authorization.k8s.io/v1/clusterroles/scale
  uid: 36bc20fe-c654-4431-8a9b-9b7db96a473a
- apiGroups:
  - apps
  - apps.openshift.io
  - configmaps
  - deploymentconfigs/scale
  - deployments/scale
  - replicationcontrollers/scale
  - get
  - list
  - watch
  - create
  - update
  - patch
  - delete

- create a rolebinding like this:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
  creationTimestamp: "2020-10-09T15:20:36Z"
  - apiVersion: rbac.authorization.k8s.io/v1
    fieldsType: FieldsV1
        f:apiGroup: {}
        f:kind: {}
        f:name: {}
      f:subjects: {}
    manager: Mozilla
    operation: Update
    time: "2020-10-09T15:20:36Z"
  name: scalebinding
  resourceVersion: "55475"
  selfLink: /apis/rbac.authorization.k8s.io/v1/clusterrolebindings/scalebinding
  uid: 44e210a1-1b14-4f0c-961f-9414736d0eaf
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: scale
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: gparente

- login as user

- scale deployment:

oc -n test scale deployment.apps/ruby-ex --replicas=3
deployment.apps/ruby-ex scaled

- try to scale using the console does not work

- we have to add to the clusterrole the deployments resource but that gives full access on the resource.

So. the workaroud is to edit the cluster role and add:

  - deployments

Version-Release number of selected component (if applicable): 4.5

How reproducible: always

Comment 1 Stephen Cuppett 2020-10-09 16:55:45 UTC
Setting target release to the active development branch (4.7.0). For any fixes, where required and requested, cloned BZs will be created for those release maintenance streams where appropriate once they are identified.

Comment 6 Andrew Ballantyne 2020-10-23 17:35:32 UTC
Jira ticket for planning purposes: https://issues.redhat.com/browse/ODC-5042

Comment 7 Andrew Ballantyne 2021-01-13 18:34:35 UTC
Pushing to 4.8 as we lack the bandwidth to address this in 4.7.

Comment 8 Rishu Mehra 2021-02-19 15:51:29 UTC
Updated the doc text filed.