Bug 1420968 - [trello TxA9vyZz] should grant fewer privileges to user to make ingress work
Summary: [trello TxA9vyZz] should grant fewer privileges to user to make ingress work
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking
Version: 3.5.0
Hardware: Unspecified
OS: Unspecified
low
low
Target Milestone: ---
: 3.10.0
Assignee: Jacob Tanenbaum
QA Contact: zhaozhanqi
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-02-10 02:40 UTC by Hongan Li
Modified: 2022-08-04 22:20 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-12-20 21:09:29 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift openshift-docs pull 8638 0 None None None 2018-04-12 15:34:06 UTC
Origin (Github) 18658 0 None None None 2018-03-22 18:02:46 UTC

Description Hongan Li 2017-02-10 02:40:38 UTC 
Description of problem:
Currently, we must grand cluster-admin to the user to create/list ingress object. And also must add cluster role "system:service-serving-cert-controller" to router to make ingress work, they may have some security risk. 

Version-Release number of selected component (if applicable):
openshift v3.5.0.18+9a5d1aa
kubernetes v1.5.2+43a9be4
etcd 3.1.0

How reproducible:
always

Steps to Reproduce:
1. Enable ingress on haproxy
   oadm policy add-cluster-role-to-user cluster-reader system:serviceaccount:default:router
   oadm policy add-cluster-role-to-user system:service-serving-cert-controller system:serviceaccount:default:router
   oc env dc/router ROUTER_ENABLE_INGRESS=true
2. Login with general user and create pod,svc,ingress
   oc new-project hongli
   oc create -f https://raw.githubusercontent.com/openshift-qe/v3-testfiles/master/routing/caddy-docker.json
   oc create -f https://raw.githubusercontent.com/openshift-qe/v3-testfiles/master/routing/edge/service_unsecure.json
   oc create -f https://raw.githubusercontent.com/openshift-qe/v3-testfiles/master/routing/ingress/tls-ingress.json


Actual results:
Error from server (Forbidden): error when creating ... : User "hongli" cannot create extensions.ingresses in project "hongli"

Expected results:
general user can create ingress


Additional info:
workaround is adding cluster role "cluster-admin" to general user
Comment 1 Ben Bennett 2017-02-10 16:16:03 UTC 
For now I am okay with making this require cluster-admin.  It needs to read all secrets which is pretty scary, so until we work out how to make that more fine-grained we may as well use the big hammer permission.
Comment 2 Hongan Li 2018-02-06 07:19:51 UTC 
Hi @ben and @jtanenba, do you have any changes for this privileges ?

I tested in lastest OCP 3.9.0-0.38.0 and found that normal user can create ingresses directly (without "cluster-admin" role)

e.g.

# oc whoami
hongli

# oc create -f https://raw.githubusercontent.com/openshift-qe/v3-testfiles/master/routing/ingress/test-ingress.json
ingress "test-ingress" created

# oc get ing
NAME           HOSTS         ADDRESS   PORTS     AGE
test-ingress   foo.bar.com             80        28s
Comment 3 Jacob Tanenbaum 2018-04-12 15:38:33 UTC 
Instead of granting fewer permissions an ingress-to-route controller has been implemented. This allows an internal object to digest the ingress object and generate/keep in sync one or more route objects that satisfies the conditions of the ingress object
Comment 4 zhaozhanqi 2018-07-02 02:09:17 UTC 
The feature has been implemented from 3.10. So verified this bug.
Note You need to log in before you can comment on or make changes to this bug.