Hide Forgot
Description of problem: When send api to post PodSecurityPolicySubjectReview with specific user name, got "status": { "template": { "metadata": { "creationTimestamp": null }, "spec": { "containers": null, "restartPolicy": "Always", "terminationGracePeriodSeconds": 30, "dnsPolicy": "ClusterFirst", "securityContext": {} } } Version-Release number of selected component (if applicable): devenv-rhel7_5161 How reproducible: always Steps to Reproduce: 1. Send api to post PodSecurityPolicySubjectReview { "kind": "PodSecurityPolicySubjectReview", "apiVersion": "v1", "metadata": { "name": "pspsr" }, "spec": { "template": { "spec": { "containers": [ { "name": "hello-openshift", "image": "aosqe/hello-openshift", "ports": [ { "containerPort": 8080, "protocol": "TCP" } ], "resources": { }, "volumeMounts": [ { "name": "tmp", "mountPath": "/tmp" } ], "terminationMessagePath": "/dev/termination-log", "imagePullPolicy": "IfNotPresent", "securityContext": { "capabilities": { }, "privileged": false } } ], "volumes": [ { "name": "tmp", "emptyDir": { } } ], "restartPolicy": "Always", "dnsPolicy": "ClusterFirst", "serviceAccountName": "default" } }, "user": "wjiang" }, "status": { } } curl -k -H "Authorization: Bearer `oc whoami -t`" "https://localhost:8443/oapi/v1/namespaces/wjiang/podsecuritypolicysubjectreviews" -X POST -d @pspsr -H "Content-Type: application/json" 2. Check the result 3. Actual results: { [693/3132] "kind": "PodSecurityPolicySubjectReview", "apiVersion": "v1", "spec": { "template": { "metadata": { "creationTimestamp": null }, "spec": { "volumes": [ { "name": "tmp", "emptyDir": {} } ], "containers": [ { "name": "hello-openshift", "image": "aosqe/hello-openshift", "ports": [ { "containerPort": 8080, "protocol": "TCP" } ], "resources": {}, "volumeMounts": [ { "name": "tmp", "mountPath": "/tmp" } ], "terminationMessagePath": "/dev/termination-log", "imagePullPolicy": "IfNotPresent", "securityContext": { "capabilities": {}, "privileged": false } } ], "restartPolicy": "Always", "terminationGracePeriodSeconds": 30, "dnsPolicy": "ClusterFirst", "serviceAccountName": "default", "serviceAccount": "default", "securityContext": {} } }, "user": "wjiang" }, "status": { "template": { "metadata": { "creationTimestamp": null }, "spec": { "containers": null, "restartPolicy": "Always", "terminationGracePeriodSeconds": 30, "dnsPolicy": "ClusterFirst", "securityContext": {} } } } } Expected results: Should list the sccs in allowedby. Additional info:
PR in flight: https://github.com/openshift/origin/pull/11389
No fix is needed, you can ignore previous comment. To keep consistent with other SAR endpoints a user needs to specify both user and groups to get reasonable information back. [1] explicitly states you need to specify both to get proper answer in the light of username and the groups he's in. [1] https://github.com/openshift/origin/blob/125ed10fa7103f46c5aa1593210ca0e1d417ea4b/pkg/security/api/types.go#L27-L29 I'm moving this back to ON_QA.
When specify both user and groups, could get reasonable information back.