Bug 2211841

Summary: Regular users can't use NADs located in other namespaces in their VMs despite having permissions to access them
Product: Container Native Virtualization (CNV) Reporter: Oren Cohen <ocohen>
Component: User ExperienceAssignee: Tal Nisan <tnisan>
Status: CLOSED WONTFIX QA Contact: Guohua Ouyang <gouyang>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 4.13.0CC: gouyang, ryasharz
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-08-02 03:24:19 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
screenshot none

Description Oren Cohen 2023-06-02 08:11:46 UTC 
Created attachment 1968497 [details]
screenshot

Description of problem:
If a regular user has RBAC to get/list/watch a network-atttachment-definition in a namespace the user is not an admin of, the "Add network interface" modal doesn't allow the user to use that NAD in the new NIC. A red message is shown: "No NetworkAttachmentDefinitions available. Contact your system administrator for additional support.".
We would expect that if such permission configured for a user, s/he should be able to use that NAD in their VMs reside in namespaces they're admins of.

Version-Release number of selected component (if applicable):
4.13.0, but probably happens in previous versions.

How reproducible:
100%

Steps to Reproduce:
1. create a NAD in some arbitrary namespace (e.g. default)
2. add clusterrole of get, list, watch to that NAD, and rolebinding in the user's namespace for this role and a regular user.
3. when logged-in as the user, try to create a VM in a namespace the user is an admin of, and then try to add an additional network interface using NAD/bridge.

Actual results:
The user is not allowed to select the NAD s/he has permissions to. The drop-down list is grayed-out.

Expected results:
The user should see the NAD on the "Network" drop-down list and be able to select and use it for their VM.

Additional info:
Comment 1 Guohua Ouyang 2023-06-04 23:39:53 UTC 
Hi Oren, Did you try it via command line?
I think this is duplication of https://issues.redhat.com/browse/OCPBUGS-6959 and it seems the OCP team would not like to fix it.
Comment 2 Oren Cohen 2023-06-05 07:04:28 UTC 
Yes, with the RBAC to the NAD in place, the regular user can get the NAD or list NADs in a namespace with oc (i verified it with `--as` CLI option).
The fact that cluster-readers don't have access to NADs is something else. In our case the user is not a cluster reader but given a specific permission to the NAD in a different namespace he's not an admin of.
Comment 3 Guohua Ouyang 2023-08-02 03:24:19 UTC 
Close the bug as the OCP team would not like to fix it in https://issues.redhat.com/browse/OCPBUGS-6959
Comment 4 Oren Cohen 2023-08-02 06:27:38 UTC 
This BZ has been fixed by Matan: https://issues.redhat.com/browse/CNV-29391
Probably there is some issue with the bug sync between bugzilla and jira.