Bug 2066700
| Summary: | [node-tuning-operator] - Minimize wildcard/privilege Usage in Cluster and Local Roles | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Simon Reber <sreber> |
| Component: | Node Tuning Operator | Assignee: | dagray |
| Status: | CLOSED ERRATA | QA Contact: | liqcui |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | 4.8 | CC: | dagray, jmencak |
| Target Milestone: | --- | ||
| Target Release: | 4.11.0 | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | No Doc Update | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-08-10 10:55:23 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Simon Reber
2022-03-22 10:50:51 UTC
Thanks @sreber@redhat, can you please review the proposed fix for this BZ in https://github.com/openshift/cluster-node-tuning-operator/pull/333? (In reply to dagray from comment #1) > Thanks @sreber@redhat, can you please review the proposed fix for this BZ in > https://github.com/openshift/cluster-node-tuning-operator/pull/333? Not sure if you want me to comment here or in the pull request. Definitely the changes you have proposed look promising and are going into the right direction. If we can get this to work it should definitely satisfy the requirement mentioned. Verified Result: [ocpadmin@ec2-18-217-45-133 ~]$ oc get clusterversion NAME VERSION AVAILABLE PROGRESSING SINCE STATUS version 4.11.0-0.nightly-2022-04-12-000004 True False 7m5s Cluster version is 4.11.0-0.nightly-2022-04-12-000004 [ocpadmin@ec2-18-217-45-133 ~]$ oc project openshift-cluster-node-tuning-operator Now using project "openshift-cluster-node-tuning-operator" on server "https://api.liqcui-oc411ci.qe.devcluster.openshift.com:6443". [ocpadmin@ec2-18-217-45-133 ~]$ oc get role |grep tun [ocpadmin@ec2-18-217-45-133 ~]$ oc get clusterrole |grep tun cluster-node-tuning-operator 2022-04-12T05:27:26Z cluster-node-tuning:tuned 2022-04-12T05:27:31Z [ocpadmin@ec2-18-217-45-133 ~]$ oc get clusterrole cluster-node-tuning:tuned -oyaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: annotations: include.release.openshift.io/ibm-cloud-managed: "true" include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" creationTimestamp: "2022-04-12T05:27:31Z" name: cluster-node-tuning:tuned ownerReferences: - apiVersion: config.openshift.io/v1 kind: ClusterVersion name: version uid: 3a99d573-a903-4e42-8aa8-498970a76512 resourceVersion: "2039" uid: 2c0126e9-7901-45c2-bc3b-b9a2d27e026b rules: - apiGroups: - tuned.openshift.io resources: - tuneds verbs: - get - list - watch - apiGroups: - tuned.openshift.io resources: - profiles verbs: - get - list - update - watch - patch - apiGroups: - security.openshift.io resourceNames: - privileged resources: - securitycontextconstraints verbs: - use [ocpadmin@ec2-18-217-45-133 ~]$ oc get clusterrole cluster-node-tuning-operator -oyaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: annotations: include.release.openshift.io/ibm-cloud-managed: "true" include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" creationTimestamp: "2022-04-12T05:27:26Z" name: cluster-node-tuning-operator ownerReferences: - apiVersion: config.openshift.io/v1 kind: ClusterVersion name: version uid: 3a99d573-a903-4e42-8aa8-498970a76512 resourceVersion: "1923" uid: 99430ca1-8e93-43ae-a92e-20fbbfcc4149 rules: - apiGroups: - tuned.openshift.io resources: - tuneds verbs: - create - get - delete - list - update - watch - patch - apiGroups: - tuned.openshift.io resources: - tuneds/finalizers verbs: - update - apiGroups: - tuned.openshift.io resources: - profiles verbs: - create - get - delete - list - update - watch - patch - apiGroups: - tuned.openshift.io resources: - profiles/finalizers verbs: - update - apiGroups: - apps resources: - daemonsets verbs: - create - get - delete - list - update - watch - apiGroups: - security.openshift.io resources: - securitycontextconstraints verbs: - use - apiGroups: - "" resources: - configmaps - events verbs: - create - get - delete - list - update - watch - patch - apiGroups: - "" resources: - nodes - pods verbs: - get - list - watch - apiGroups: - "" resources: - nodes/metrics - nodes/specs verbs: - get - apiGroups: - config.openshift.io resources: - clusteroperators - infrastructures verbs: - create - get - list - watch - apiGroups: - config.openshift.io resources: - clusteroperators/status - clusteroperators/finalizers verbs: - update - apiGroups: - machineconfiguration.openshift.io resources: - kubeletconfigs - machineconfigs verbs: - create - get - delete - list - update - watch - apiGroups: - machineconfiguration.openshift.io resources: - machineconfigpools verbs: - get - list - watch - apiGroups: - coordination.k8s.io resources: - leases verbs: - create - get - update - patch - apiGroups: - node.k8s.io resources: - runtimeclasses verbs: - create - get - delete - list - update - watch - apiGroups: - performance.openshift.io resources: - '*' verbs: - '*' - apiGroups: - operators.coreos.com resources: - clusterserviceversions - operatorgroups - subscriptions verbs: - get - delete - list - update - watch and execute a test case, no issue Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Important: OpenShift Container Platform 4.11.0 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:5069 |