Bug 2160673
| Summary: | User cannot get resource "virtualmachineinstances/portforward" in API group "subresources.kubevirt.io" | ||
|---|---|---|---|
| Product: | Container Native Virtualization (CNV) | Reporter: | Juan Orti <jortialc> |
| Component: | Infrastructure | Assignee: | Felix Matouschek <fmatouschek> |
| Status: | VERIFIED --- | QA Contact: | Geetika Kapoor <gkapoor> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 4.11.2 | CC: | dholler, dustymabe, gkapoor |
| Target Milestone: | --- | ||
| Target Release: | 4.11.4 | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | v4.11.4-11 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | Bug | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Juan Orti
2023-01-13 09:31:31 UTC
How was the user account created? Were any roles assigned to it? Without any roles it will not have any permissions. Also can you please define "a regular user with admin privileges"? A user can either be an admin or a regular/unprivileged user. Currently at least role 'kubevirt.io:edit' is needed to access portforwardings. With this PR [1] it would become possible to access portforwarding with role 'kubevirt.io:view'. [1] https://github.com/kubevirt/kubevirt/pull/9071 Okay, I think I found the issue. The default cluster roles grant priviliges with the wrong verb on the required API endpoints. This PR should fix it: https://github.com/kubevirt/kubevirt/pull/9120 (In reply to Felix Matouschek from comment #1) > How was the user account created? Were any roles assigned to it? Without any > roles it will not have any permissions. > Also can you please define "a regular user with admin privileges"? A user > can either be an admin or a regular/unprivileged user. For the record, this is the rolebinding of my test user: ~~~ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: creationTimestamp: "2023-01-13T08:45:38Z" name: jorti-admin namespace: jorti resourceVersion: "83755649" uid: 9146690a-b999-478a-a76b-b1544ade511d roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: admin subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: jorti ~~~ Setup:
1. Create a rolebinding for any regular user.
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: test-geetika-admin
namespace: testing-cnv
uid: d443e6c2-67a0-4783-9c39-daa5d00643cd
resourceVersion: '1440834'
creationTimestamp: '2023-05-25T11:06:39Z'
managedFields:
- manager: Mozilla
operation: Update
apiVersion: rbac.authorization.k8s.io/v1
time: '2023-05-25T11:06:39Z'
fieldsType: FieldsV1
fieldsV1:
'f:roleRef': {}
'f:subjects': {}
subjects:
- kind: User
apiGroup: rbac.authorization.k8s.io
name: geetika-test
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: admin
2. setup oauth to use htpasswd for the user(Note any other identity providers can also be use like github, basic auth,ldap)
spec:
identityProviders:
- htpasswd:
fileData:
name: htpasswd-k8s58
mappingMethod: claim
name: geetika-test
type: HTPasswd
Note : Generate HTPasswd password from any generator
Login with user : geetika-test with htpasswd(plain text)
1. ssh-keygen -f key_file_test_geetika
2. oc create secret generic my-pub-key-test-geetika --from-file=key1=key_file_test_geetika.pub -n testing-cnv
3. Create a VM with public key(key_file_test_geetika.pub) in authorized key
4. wait for vm to be up.
5 try to access console using : $ virtctl ssh --username=cloud-user rhel9-mushy-leopard -n testing-cnv -i key_file_test_geetika
$ oc get vmi -n testing-cnv
NAME AGE PHASE IP NODENAME READY
rhel9-mushy-leopard 69m Running 10.129.2.251 c01-gk411bug-rf26w-worker-0-f4tcr True
6. Login should be succcessful.
|