Previously, the user was denied access to pull images from other projects, due to insufficient user permissions. This bug fix removes all the user interface checks for role bindings and shows the `oc` command alert to help users use the command line. With this bug fix, the user is no longer blocked from creating images from different namespaces and is now able to deploy images from their other projects.
Description of problem:
Users with edit right are unable to deploy images from their own namespace in the UI but they can do it using the CLI.
Version-Release number of selected component (if applicable):
4.5.15
4.4.16
How reproducible:
Always
Steps to Reproduce:
1. Create a user with edit right
2. Log in console and open the developer perspective
3. Click on "+ Add" and then choose "Container Image"
4. Choose "Image name from internal registry" and expand the dropdown
Actual results:
Error Message:
Warning alert:Permission denied
Service account default does not have authority to pull images from deploy-image. Select another project to continue.
Expected results:
No errors and should be able to deploy normally as command line.
Additional info:
Command line output:
# oc get rolebinding
NAME ROLE AGE
edit ClusterRole/edit 21m
system:deployers ClusterRole/system:deployer 52m
system:image-builders ClusterRole/system:image-builder 52m
system:image-pullers ClusterRole/system:image-puller 52m
# oc get istag
NAME IMAGE REFERENCE UPDATED
ruby:2.6 registry.redhat.io/rhscl/ruby-26-rhel7@sha256:4da4d3ce3bf718a0f0965300b6dd914c2e698b7202f5af4fafde21e6be6b06fd 26 seconds ago
# oc get is
NAME IMAGE REPOSITORY TAGS UPDATED
registry 2
ruby 2.6 28 seconds ago
oc get --raw /apis/image.openshift.io/v1/namespaces/deploy-image/imagestreams
{"kind":"ImageStreamList","apiVersion":"image.openshift.io/v1","metadata":{"selfLink":"/apis/image.openshift.io/v1/namespaces/deploy-image/imagestreams","resourceVersion":"9136644"},"items":[{"metadata":{"name":"registry","namespace":"deploy-image","selfLink":"/apis/image.openshift.io/v1/namespaces/deploy-image/imagestreams/registry","uid":"519cfbae-27cf-4e17-bd9a-0999cfea6131","resourceVersion":"9134968","generation":3,"creationTimestamp":"2020-11-03T10:18:25Z","annotations":{"openshift.io/image.dockerRepositoryCheck":"2020-11-03T10:20:42Z"}},"spec":{"lookupPolicy":{"local":false},"tags":[{"name":"2","annotations":null,"from":{"kind":"DockerImage","name":"docker.io/library/registry:2"},"generation":3,"importPolicy":{},"referencePolicy":{"type":"Source"}}]},"status":{"dockerImageRepository":"","tags":[{"tag":"2","items":null,"conditions":[{"type":"ImportSuccess","status":"False","lastTransitionTime":"2020-11-03T10:20:42Z","reason":"InternalError","message":"Internal error occurred: docker.io/library/registry:2: Get https://production.cloudflare.docker.com/registry-v2/docker/registry/v2/blobs/sha256/2d/2d4f4b5309b1e41b4f83ae59b44df6d673ef44433c734b14c1c103ebca82c116/data?verify=1604402734-4hsrV327A2AP616jdeiGvZTf8bA%3D: net/http: TLS handshake timeout","generation":3}]}]}},{"metadata":{"name":"ruby","namespace":"deploy-image","selfLink":"/apis/image.openshift.io/v1/namespaces/deploy-image/imagestreams/ruby","uid":"11bb36f3-5379-4729-a729-b757fe71fa6d","resourceVersion":"9136451","generation":2,"creationTimestamp":"2020-11-03T10:24:59Z","annotations":{"openshift.io/image.dockerRepositoryCheck":"2020-11-03T10:25:01Z"}},"spec":{"lookupPolicy":{"local":false},"tags":[{"name":"2.6","annotations":{"description":"Build and run Ruby 2.6 applications on RHEL 7. For more information about using this builder image, including OpenShift considerations, see https://github.com/sclorg/s2i-ruby-container/blob/master/2.6/README.md.","iconClass":"icon-ruby","openshift.io/display-name":"Ruby 2.6","openshift.io/provider-display-name":"Red Hat, Inc.","sampleRepo":"https://github.com/sclorg/ruby-ex.git","supports":"ruby:2.6,ruby","tags":"builder,ruby","version":"2.6"},"from":{"kind":"DockerImage","name":"registry.redhat.io/rhscl/ruby-26-rhel7:latest"},"generation":2,"importPolicy":{},"referencePolicy":{"type":"Local"}}]},"status":{"dockerImageRepository":"","tags":[{"tag":"2.6","items":[{"created":"2020-11-03T10:25:01Z","dockerImageReference":"registry.redhat.io/rhscl/ruby-26-rhel7@sha256:4da4d3ce3bf718a0f0965300b6dd914c2e698b7202f5af4fafde21e6be6b06fd","image":"sha256:4da4d3ce3bf718a0f0965300b6dd914c2e698b7202f5af4fafde21e6be6b06fd","generation":2}]}]}}]}
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory (Moderate: OpenShift Container Platform 4.7.0 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHSA-2020:5633
Description of problem: Users with edit right are unable to deploy images from their own namespace in the UI but they can do it using the CLI. Version-Release number of selected component (if applicable): 4.5.15 4.4.16 How reproducible: Always Steps to Reproduce: 1. Create a user with edit right 2. Log in console and open the developer perspective 3. Click on "+ Add" and then choose "Container Image" 4. Choose "Image name from internal registry" and expand the dropdown Actual results: Error Message: Warning alert:Permission denied Service account default does not have authority to pull images from deploy-image. Select another project to continue. Expected results: No errors and should be able to deploy normally as command line. Additional info: Command line output: # oc get rolebinding NAME ROLE AGE edit ClusterRole/edit 21m system:deployers ClusterRole/system:deployer 52m system:image-builders ClusterRole/system:image-builder 52m system:image-pullers ClusterRole/system:image-puller 52m # oc get istag NAME IMAGE REFERENCE UPDATED ruby:2.6 registry.redhat.io/rhscl/ruby-26-rhel7@sha256:4da4d3ce3bf718a0f0965300b6dd914c2e698b7202f5af4fafde21e6be6b06fd 26 seconds ago # oc get is NAME IMAGE REPOSITORY TAGS UPDATED registry 2 ruby 2.6 28 seconds ago oc get --raw /apis/image.openshift.io/v1/namespaces/deploy-image/imagestreams {"kind":"ImageStreamList","apiVersion":"image.openshift.io/v1","metadata":{"selfLink":"/apis/image.openshift.io/v1/namespaces/deploy-image/imagestreams","resourceVersion":"9136644"},"items":[{"metadata":{"name":"registry","namespace":"deploy-image","selfLink":"/apis/image.openshift.io/v1/namespaces/deploy-image/imagestreams/registry","uid":"519cfbae-27cf-4e17-bd9a-0999cfea6131","resourceVersion":"9134968","generation":3,"creationTimestamp":"2020-11-03T10:18:25Z","annotations":{"openshift.io/image.dockerRepositoryCheck":"2020-11-03T10:20:42Z"}},"spec":{"lookupPolicy":{"local":false},"tags":[{"name":"2","annotations":null,"from":{"kind":"DockerImage","name":"docker.io/library/registry:2"},"generation":3,"importPolicy":{},"referencePolicy":{"type":"Source"}}]},"status":{"dockerImageRepository":"","tags":[{"tag":"2","items":null,"conditions":[{"type":"ImportSuccess","status":"False","lastTransitionTime":"2020-11-03T10:20:42Z","reason":"InternalError","message":"Internal error occurred: docker.io/library/registry:2: Get https://production.cloudflare.docker.com/registry-v2/docker/registry/v2/blobs/sha256/2d/2d4f4b5309b1e41b4f83ae59b44df6d673ef44433c734b14c1c103ebca82c116/data?verify=1604402734-4hsrV327A2AP616jdeiGvZTf8bA%3D: net/http: TLS handshake timeout","generation":3}]}]}},{"metadata":{"name":"ruby","namespace":"deploy-image","selfLink":"/apis/image.openshift.io/v1/namespaces/deploy-image/imagestreams/ruby","uid":"11bb36f3-5379-4729-a729-b757fe71fa6d","resourceVersion":"9136451","generation":2,"creationTimestamp":"2020-11-03T10:24:59Z","annotations":{"openshift.io/image.dockerRepositoryCheck":"2020-11-03T10:25:01Z"}},"spec":{"lookupPolicy":{"local":false},"tags":[{"name":"2.6","annotations":{"description":"Build and run Ruby 2.6 applications on RHEL 7. For more information about using this builder image, including OpenShift considerations, see https://github.com/sclorg/s2i-ruby-container/blob/master/2.6/README.md.","iconClass":"icon-ruby","openshift.io/display-name":"Ruby 2.6","openshift.io/provider-display-name":"Red Hat, Inc.","sampleRepo":"https://github.com/sclorg/ruby-ex.git","supports":"ruby:2.6,ruby","tags":"builder,ruby","version":"2.6"},"from":{"kind":"DockerImage","name":"registry.redhat.io/rhscl/ruby-26-rhel7:latest"},"generation":2,"importPolicy":{},"referencePolicy":{"type":"Local"}}]},"status":{"dockerImageRepository":"","tags":[{"tag":"2.6","items":[{"created":"2020-11-03T10:25:01Z","dockerImageReference":"registry.redhat.io/rhscl/ruby-26-rhel7@sha256:4da4d3ce3bf718a0f0965300b6dd914c2e698b7202f5af4fafde21e6be6b06fd","image":"sha256:4da4d3ce3bf718a0f0965300b6dd914c2e698b7202f5af4fafde21e6be6b06fd","generation":2}]}]}}]}