Description of problem: Currently, we must grand cluster-admin to the user to create/list ingress object. And also must add cluster role "system:service-serving-cert-controller" to router to make ingress work, they may have some security risk. Version-Release number of selected component (if applicable): openshift v3.5.0.18+9a5d1aa kubernetes v1.5.2+43a9be4 etcd 3.1.0 How reproducible: always Steps to Reproduce: 1. Enable ingress on haproxy oadm policy add-cluster-role-to-user cluster-reader system:serviceaccount:default:router oadm policy add-cluster-role-to-user system:service-serving-cert-controller system:serviceaccount:default:router oc env dc/router ROUTER_ENABLE_INGRESS=true 2. Login with general user and create pod,svc,ingress oc new-project hongli oc create -f https://raw.githubusercontent.com/openshift-qe/v3-testfiles/master/routing/caddy-docker.json oc create -f https://raw.githubusercontent.com/openshift-qe/v3-testfiles/master/routing/edge/service_unsecure.json oc create -f https://raw.githubusercontent.com/openshift-qe/v3-testfiles/master/routing/ingress/tls-ingress.json Actual results: Error from server (Forbidden): error when creating ... : User "hongli" cannot create extensions.ingresses in project "hongli" Expected results: general user can create ingress Additional info: workaround is adding cluster role "cluster-admin" to general user
For now I am okay with making this require cluster-admin. It needs to read all secrets which is pretty scary, so until we work out how to make that more fine-grained we may as well use the big hammer permission.
Hi @ben and @jtanenba, do you have any changes for this privileges ? I tested in lastest OCP 3.9.0-0.38.0 and found that normal user can create ingresses directly (without "cluster-admin" role) e.g. # oc whoami hongli # oc create -f https://raw.githubusercontent.com/openshift-qe/v3-testfiles/master/routing/ingress/test-ingress.json ingress "test-ingress" created # oc get ing NAME HOSTS ADDRESS PORTS AGE test-ingress foo.bar.com 80 28s
Instead of granting fewer permissions an ingress-to-route controller has been implemented. This allows an internal object to digest the ingress object and generate/keep in sync one or more route objects that satisfies the conditions of the ingress object
The feature has been implemented from 3.10. So verified this bug.