Bug 1393455 - system:router clusterrole cannot get namespaces
Summary: system:router clusterrole cannot get namespaces
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking
Version: 3.3.0
Hardware: Unspecified
OS: Unspecified
low
low
Target Milestone: ---
: ---
Assignee: Ben Bennett
QA Contact: zhaozhanqi
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-11-09 15:20 UTC by Steven Walter
Modified: 2022-08-04 22:20 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-12-10 17:26:38 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Steven Walter 2016-11-09 15:20:55 UTC 
Description of problem:
Currently, the system:router clusterrole cannot list namespaces. As per our docs and per upstream bug (https://bugzilla.redhat.com/show_bug.cgi?id=1332510) this IS expected behavior and for using NAMESPACE_LABELS one should simply add the cluster-reader role to the router service account. Customer believes this to be sub-optimal; it seems there are no real reasons to not include listing namespaces in the clusterrole fro system:router. If there are security issues, are these not still issues when using router sharding? If there are not security issues, why not allow router to see namespaces by default?

Version-Release number of selected component (if applicable):
OSCP 3.3.0

As already mentioned, this is also addressed to some extent in the OpenShift Origin bz here:

https://bugzilla.redhat.com/show_bug.cgi?id=1332510
Comment 2 Ben Bennett 2016-11-09 16:01:53 UTC 
Anyone who can list the namespaces can find out all of the other project names in the system.  In general we give the minimal set of privileges out, and let the admin decide whether they want to give out additional privileges to enable features.

So, if you want to allow sharding by namespace you need to allow listing namespaces.  But in general we don't want to make that a base router requirement.
Comment 5 Ryan Howe 2016-11-25 17:25:12 UTC 
I see this being a documentation change describing how to create role for router sharding or adding a cluster role that gets bootstrapped that would be used for router sharding.   


1. Document creating the role

# oc create -f - <<EOF
apiVersion: v1
kind: ClusterRole
metadata:
  creationTimestamp: null
  name: namespace-reader
rules:
- apiGroups:
  - ""
  attributeRestrictions: null
  resources:
  - namespaces
  - namespaces/status  
  verbs:
  - get
  - list
  - watch
EOF


# oc adm policy add-cluster-role-to-group namespace-reader system:routers

2. Or we would bootstrap the cluster role and just have the user run add role to group command. 

https://github.com/openshift/origin/blob/master/pkg/cmd/server/bootstrappolicy/policy.go
Comment 6 Javier Ramirez 2017-09-21 06:50:38 UTC 
Customer confirmed that approach provided by Ryan on comment #5 worked perfectly, but would like this new ClusterRole to be included by default:

~~~
Yes, what we would like to finally achieve in this case is that the role suggested by your colleague at this case is included by default in Open Shift and that router deployment docs (and tests) is updated to use it instead of cluster-reader.
~~~
Comment 9 Ryan Howe 2018-12-10 17:26:38 UTC 
The router is now added to cluster reader by the installer. 

https://github.com/openshift/openshift-ansible/blob/release-3.9/roles/openshift_hosted/tasks/router.yml#L76-L83


The docs also state that when using router sharding that the router should be added to the cluster-reader role.

https://docs.openshift.com/container-platform/3.11/install_config/router/default_haproxy_router.html#using-router-shards
Note You need to log in before you can comment on or make changes to this bug.