Bug 2037483

Summary: Rbacs for Pods within the CBO should be more restrictive
Product: OpenShift Container Platform Reporter: sdasu
Component: Bare Metal Hardware ProvisioningAssignee: sdasu
Bare Metal Hardware Provisioning sub component: cluster-baremetal-operator QA Contact: Jad Haj Yahya <jhajyahy>
Status: CLOSED ERRATA Docs Contact:
Severity: medium    
Priority: medium CC: aos-bugs, jhajyahy
Version: 4.10Keywords: Triaged
Target Milestone: ---   
Target Release: 4.10.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-03-10 16:37:12 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description sdasu 2022-01-05 17:21:15 UTC 
Description of problem:
A recent fix to the CBO gave CBO the permission to list and get pods in every namespace. CBO only needs to do that for Pods within the openshift-machine-api namespace.
Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:
CBO can list, get and watch Pods only in the openshift-machine-api namespace.

Additional info:
Comment 3 Jad Haj Yahya 2022-01-16 11:18:28 UTC 
@sdasu Hey,

How can I reproduce/verify this BZ
Comment 4 Jad Haj Yahya 2022-01-16 14:48:08 UTC 
@sdasu

I used the following process to verify that cluster-baremetal-operator serviceaccount cannot see pods form namespaces other than openshift-machine-api:


oc describe sa cluster-baremetal-operator -n openshift-machine-api
oc describe secrets cluster-baremetal-operator-token-dxwtx -n openshift-machine-api
oc login --token=eyJhbGciOiJSU.....

oc get pods
Error from server (Forbidden): pods is forbidden: User "system:serviceaccount:openshift-machine-api:cluster-baremetal-operator" cannot list resource "pods" in API group "" in the namespace "default"

oc get pods -n openshift-machine-api
NAME                                           READY   STATUS    RESTARTS        AGE
cluster-autoscaler-operator-6fb8fc5cbb-sbd4d   2/2     Running   1 (3d20h ago)   3d20h
cluster-baremetal-operator-5d58dbc94c-jfflr    2/2     Running   2 (3d20h ago)   3d20h
machine-api-controllers-54b8ff44c8-jwtqx       7/7     Running   0               3d20h
machine-api-operator-57648b678d-frrfq          2/2     Running   1 (3d20h ago)   3d20h
metal3-6db6ff88df-2klvh                        7/7     Running   0               3d20h
metal3-image-cache-4kvp6                       1/1     Running   0               3d20h
metal3-image-cache-fspq9                       1/1     Running   0               3d20h
metal3-image-cache-gj9mr                       1/1     Running   0               3d20h
metal3-image-customization-6745d749b8-vdgsm


please confirm
Comment 5 Jad Haj Yahya 2022-01-17 06:10:07 UTC 
Verified with 4.10.0-0.nightly-2022-01-11-065245 release using above steps
Comment 8 errata-xmlrpc 2022-03-10 16:37:12 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:0056
Comment 9 sdasu 2022-03-30 17:09:43 UTC 
(In reply to Jad Haj Yahya from comment #4)
> @sdasu
> 
> I used the following process to verify that cluster-baremetal-operator
> serviceaccount cannot see pods form namespaces other than
> openshift-machine-api:
> 
> 
> oc describe sa cluster-baremetal-operator -n openshift-machine-api
> oc describe secrets cluster-baremetal-operator-token-dxwtx -n
> openshift-machine-api
> oc login --token=eyJhbGciOiJSU.....
> 
> oc get pods
> Error from server (Forbidden): pods is forbidden: User
> "system:serviceaccount:openshift-machine-api:cluster-baremetal-operator"
> cannot list resource "pods" in API group "" in the namespace "default"
> 
> oc get pods -n openshift-machine-api
> NAME                                           READY   STATUS    RESTARTS   
> AGE
> cluster-autoscaler-operator-6fb8fc5cbb-sbd4d   2/2     Running   1 (3d20h
> ago)   3d20h
> cluster-baremetal-operator-5d58dbc94c-jfflr    2/2     Running   2 (3d20h
> ago)   3d20h
> machine-api-controllers-54b8ff44c8-jwtqx       7/7     Running   0          
> 3d20h
> machine-api-operator-57648b678d-frrfq          2/2     Running   1 (3d20h
> ago)   3d20h
> metal3-6db6ff88df-2klvh                        7/7     Running   0          
> 3d20h
> metal3-image-cache-4kvp6                       1/1     Running   0          
> 3d20h
> metal3-image-cache-fspq9                       1/1     Running   0          
> 3d20h
> metal3-image-cache-gj9mr                       1/1     Running   0          
> 3d20h
> metal3-image-customization-6745d749b8-vdgsm
> 
> 
> please confirm

Yes, that is correct.