Bug 2022745
| Summary: | Cluster reader is not able to list NodeNetwork* objects | |||
|---|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Petr Horáček <phoracek> | |
| Component: | Networking | Assignee: | Christoph Stäbler <cstabler> | |
| Networking sub component: | kubernetes-nmstate | QA Contact: | Aleksandra Malykhin <amalykhi> | |
| Status: | CLOSED ERRATA | Docs Contact: | ||
| Severity: | medium | |||
| Priority: | high | CC: | aos-bugs, cnv-qe-bugs, cstabler, oshoval, rnetser, ysegev | |
| Version: | 4.10 | |||
| Target Milestone: | --- | |||
| Target Release: | 4.11.0 | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | Bug Fix | ||
| Doc Text: |
Cause: Users with role "cluster-reader" could not read custom resources from kubernetes-nmstate (e.g. NodeNetworkConfigurationPolicy).
Consequence: Users of this role could not check status.
Fix: Permissions to read kubernetes-nmstate resources have been added to cluster-reader role.
Result: Users with "cluster-reader" role can read kubernetes-nmstate custom resources.
|
Story Points: | --- | |
| Clone Of: | ||||
| : | 2087091 (view as bug list) | Environment: | ||
| Last Closed: | 2022-08-10 10:39:46 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 2087091 | |||
*** Bug 2060269 has been marked as a duplicate of this bug. *** The issue was fixed U/S. Moving to the standalone knmstate component for verification. *** Bug 2057474 has been marked as a duplicate of this bug. *** Verified with Kubernetes NMState Operator 4.11.0-202205250927 Steps to Reproduce: 1. Bind an unprivileged user with cluster-reader role 2. Log in as such user 3. List NNS (oc get nns) [test@provisionhost-0-0 ~]$ oc get nns NAME AGE master-0-0 3m42s master-0-1 3m42s master-0-2 3m42s worker-0-0 3m43s worker-0-1 3m43s [test@provisionhost-0-0 ~]$ oc get nncp NAME STATUS REASON createif Available SuccessfullyConfigured Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Important: OpenShift Container Platform 4.11.0 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:5069 |
Description of problem: As a used with cluster-reader role I should be able to read resources connected with cluster's network configuration. In this case, I want access to NodeNetworkConfigurationPolicy, NodeNetworkConfigurationEnactment and NodeNetworkState. This is however not possible today. Version-Release number of selected component (if applicable): OpenShift 4.8, 4.9 How reproducible: Always Steps to Reproduce: 1. Bind an unprivileged user with cluster-reader role 2. Log in as such user 3. List NNS (oc get nns) Actual results: The list fails due to the lack of privileges. Expected results: The user should be able to list and read these resources, just as nnce and nncp. Additional info: This can be accomplished through aggregated roles. Similar to this role used for NAD: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: net-attach-def-project labels: rbac.authorization.k8s.io/aggregate-to-admin: "true" rules: - apiGroups: ["k8s.cni.cncf.io"] resources: ["network-attachment-definitions"] verbs: ["watch", "list"] This must be deployed only if the target role is available.