Red Hat Bugzilla – Bug 1468233
Allow standard users to manage destination on egress routers managed by replication controllers
Last modified: 2018-03-12 09:54:36 EDT
Description of problem:
It's common for containers deployed in OpenShift to need to connect to legacy environments policed by firewalls filtering on source and destination. The egress router exists to facilitate this but can only be managed by cluster admins which makes some sense as the administrator needs to allow an IP on node network. However, it is usually the developer of the container that needs to state the destination of the egress router. We would like to request that a feature be added to allow the router destination to be updated by standard users.
Secondly the egress router deploys as a cluster admin fine but when deploying the egress router managed by a replication controller the deployment fails with:
"forbidden: unable to validate against any security context constraint: [spec.containers.securityContext.privileged: Invalid value: true: Privileged containers are not allowed]"
It should be possible to deploy the container to be managed by a replication controller without having to allow privileged containers on the project.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Problem 1: Deploy an egress router as per https://docs.openshift.com/container-platform/latest/admin_guide/managing_networking.html#admin-guide-limit-pod-access-egress-router and try to deploy as a standard user
2. Problem 2: Deploy an egress router with replication as per https://docs.openshift.com/container-platform/latest/admin_guide/managing_networking.html#admin-guide-limit-pod-access-egress-router in a project that isn't allowed to deploy privilidged containers
I'm moving this to an RFE because the goal of the egress router is for the cluster administrators to be able to limit the traffic from a project. Self-control by the project administrator makes sense too, but is a different use-case.
Trello card https://trello.com/c/X7orBbI7
Sorry, I should have commented on this sooner...
> We would like to request that a feature be added to allow the router
> destination to be updated by standard users.
This is halfway possible by using a ConfigMap to specify the destination. This is described in the 3.6 docs: https://docs.openshift.org/latest/admin_guide/managing_networking.html#admin-guide-manage-pods-egress-router-configmap. The same idea of using a ConfigMap would work in earlier releases, although beware that the example in the 3.6 docs uses two other 3.6-specific features (initContainers and multi-value EGRESS_DESTINATION).
I say it's "halfway possible" because while it's possible for an unprivileged user to edit the ConfigMap, it's not possible for them to restart the egress-router pod after they do so... so we need to do something about that.
> Secondly the egress router deploys as a cluster admin fine but when deploying
> the egress router managed by a replication controller the deployment fails
This is weird... I'd swear this used to work, but I can't get it to work even in a 3.4 cluster now.
This bug has been identified as a dated (created more than 3 months ago) bug.
This bug has been triaged (has a trello card linked to it), or reviewed by Engineering/PM and has been put into the product backlog,
however this bug has not been slated for a currently planned release (3.9, 3.10 or 3.11), which cover our releases for the rest of the calendar year.
As a result of this bugs age, state on the current roadmap and PM Score (being below 70), this bug is being Closed - Differed,
as it is currently not part of the products immediate priorities.
Please see: https://docs.google.com/document/d/1zdqF4rB3ea8GmVIZ7qWCVYUaQ7-EexUrQEF0MTwdDkw/edit for more details.