Description of problem:
Currently, we must grand cluster-admin to the user to create/list ingress object. And also must add cluster role "system:service-serving-cert-controller" to router to make ingress work, they may have some security risk.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Enable ingress on haproxy
oadm policy add-cluster-role-to-user cluster-reader system:serviceaccount:default:router
oadm policy add-cluster-role-to-user system:service-serving-cert-controller system:serviceaccount:default:router
oc env dc/router ROUTER_ENABLE_INGRESS=true
2. Login with general user and create pod,svc,ingress
oc new-project hongli
oc create -f https://raw.githubusercontent.com/openshift-qe/v3-testfiles/master/routing/caddy-docker.json
oc create -f https://raw.githubusercontent.com/openshift-qe/v3-testfiles/master/routing/edge/service_unsecure.json
oc create -f https://raw.githubusercontent.com/openshift-qe/v3-testfiles/master/routing/ingress/tls-ingress.json
Error from server (Forbidden): error when creating ... : User "hongli" cannot create extensions.ingresses in project "hongli"
general user can create ingress
workaround is adding cluster role "cluster-admin" to general user
For now I am okay with making this require cluster-admin. It needs to read all secrets which is pretty scary, so until we work out how to make that more fine-grained we may as well use the big hammer permission.
Hi @ben and @jtanenba, do you have any changes for this privileges ?
I tested in lastest OCP 3.9.0-0.38.0 and found that normal user can create ingresses directly (without "cluster-admin" role)
# oc whoami
# oc create -f https://raw.githubusercontent.com/openshift-qe/v3-testfiles/master/routing/ingress/test-ingress.json
ingress "test-ingress" created
# oc get ing
NAME HOSTS ADDRESS PORTS AGE
test-ingress foo.bar.com 80 28s
Instead of granting fewer permissions an ingress-to-route controller has been implemented. This allows an internal object to digest the ingress object and generate/keep in sync one or more route objects that satisfies the conditions of the ingress object
The feature has been implemented from 3.10. So verified this bug.