Bug 1983091

Summary: Logic for getting default pull secret incorrect on project page
Product: OpenShift Container Platform Reporter: Samuel Padgett <spadgett>
Component: Management ConsoleAssignee: Kim Dobestein <kdoberst>
Status: CLOSED ERRATA QA Contact: Yanping Zhang <yanpzhan>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 4.8CC: aos-bugs, jokerman, kdoberst, yapei
Target Milestone: ---   
Target Release: 4.9.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: Application was not showing all the pull secrets from the default ServiceAccount. Consequence: Missing information on the project details screen and the user needed to go to the default ServiceAccount YAML to view all default pull secrets Fix: List all pull secrets from the default ServiceAccount on the project details page. Result:
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-18 17:39:54 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Samuel Padgett 2021-07-16 13:44:20 UTC 
The logic here looks wrong: https://github.com/openshift/console/blob/master/frontend/public/components/namespace.jsx#L843

We're only looking for kubernetes.io/dockerconfigjson and not kubernetes.io/dockercfg. But to use the image in a pod, you'd need to add it to the default service account. We should show the secrets referenced in the service account on this page.

https://docs.openshift.com/container-platform/4.7/openshift_images/managing_images/using-image-pull-secrets.html#images-allow-pods-to-reference-images-from-secure-registries_using-image-pull-secrets
Comment 6 Yanping Zhang 2021-07-30 10:45:12 UTC 
Checked on ocp 4.9 cluster with payload 4.9.0-0.nightly-2021-07-29-103526.
1.Create a project, check the default pull secret on project detail page, it displays "default-dockercfg-xczwx";
2.Create a image pull secret in the project, and add the secret in default sa in the project, then check default pull secret on the project detail page again, the new image pull secret is also shown.
3.Create a role "example1" with view project/namespace permission but no permission to view secret in project:
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: example1
  uid: 785f7296-20fd-4f1a-8105-30be19f92539
  resourceVersion: '470509'
  creationTimestamp: '2021-07-30T10:31:43Z'
  managedFields:
    - manager: Mozilla
      operation: Update
      apiVersion: rbac.authorization.k8s.io/v1
      time: '2021-07-30T10:31:43Z'
      fieldsType: FieldsV1
      fieldsV1:
        'f:rules': {}
rules:
  - verbs:
      - get
      - watch
      - list
    apiGroups:
      - ''
    resources:
      - projects
  - verbs:
      - get
    apiGroups:
      - ''
    resources:
      - namespaces
4. Grant normal user the "example1" role to the project.
5. Login with normal user, check on the project detail page, now the default pull secret field displays: "Error loading default pull Secrets"

The bug is fixed.
Comment 9 errata-xmlrpc 2021-10-18 17:39:54 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.9.0 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:3759