Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1536304

Summary:	Project admin could create daemonsets in its namespace
Product:	OpenShift Container Platform	Reporter:	Chuan Yu <chuyu>
Component:	apiserver-auth	Assignee:	Mo <mkhan>
Status:	CLOSED NOTABUG	QA Contact:	Chuan Yu <chuyu>
Severity:	urgent	Docs Contact:
Priority:	urgent
Version:	3.9.0	CC:	aos-bugs, chuyu, dma, jokerman, mfojtik, mkhan, mmccomas, ssorce, tnozicka
Target Milestone:	---	Keywords:	Regression
Target Release:	3.9.0
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:
Clones:	1555363 1574773 (view as bug list)		Environment:
Last Closed:	2018-05-04 12:44:09 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:
Bug Blocks:	1501514, 1571093

Description Chuan Yu 2018-01-19 06:00:29 UTC

Description of problem:
Project admin could create/delete daemonsets in its namesapce

Version-Release number of selected component (if applicable):
# openshift version
openshift v3.9.0-0.21.0
kubernetes v1.9.1+a0ce1bc657
etcd 3.2.8


How reproducible:
always

Steps to Reproduce:
1.user create daemonset in its namespace
2.
3.

Actual results:
the daemonset create successfully.

Expected results:
user without system:admin sudoer could not create daemonset in its namespace

Additional info:
$ oc policy who-can create daemonset -n chuyu
Namespace: chuyu
Verb:      create
Resource:  daemonsets.extensions

Users:  pm1
        system:admin
        system:serviceaccount:kube-service-catalog:default
        system:serviceaccount:kube-system:clusterrole-aggregation-controller
        system:serviceaccount:openshift-ansible-service-broker:asb
        system:serviceaccount:openshift-infra:template-instance-controller

Groups: system:cluster-admins
        system:masters

$ oc whoami
pm1

Comment 1 Simo Sorce 2018-01-19 13:55:22 UTC

Do you have any logs we culd look at ?

Comment 4 Simo Sorce 2018-01-22 16:30:47 UTC

Moving to ansible based on above comment/logs

Comment 5 Scott Dodson 2018-01-24 16:10:39 UTC

The logs are gone unfortunately, can you reproduce and attach the logs to this bug so they're persisted indefinitely?

Also, what's pm1 user?

Comment 12 Simo Sorce 2018-03-14 12:23:32 UTC

This is the PR, please comment and approve/nit as needed:
https://github.com/openshift/origin/pull/18971

Comment 13 openshift-github-bot 2018-03-14 13:59:11 UTC

Commits pushed to master at https://github.com/openshift/origin

https://github.com/openshift/origin/commit/087d7660b4534442aed41346fee3a125e0ab0497
UPSTREAM: <carry>: Remove write permissions on daemonsets from Kubernetes bootstrap policy

Due to how daemonsets interact with the project node selector,
we need to limit write access to them to the cluster admin.

Bug 1536304
Bug 1501514

Signed-off-by: Monis Khan <mkhan>

https://github.com/openshift/origin/commit/a42347be22a9bb53fcc4bbb088e4f4074cb54c76
Update policy tests to reflect removal of write access on daemonsets

Bug 1536304
Bug 1501514

Signed-off-by: Monis Khan <mkhan>

https://github.com/openshift/origin/commit/4514d3540e0c16f31cf59feb19273c1d7f5bb7a1
Merge pull request #18971 from enj/enj/i/disable_daemonset_carry/1536304,1501514

Automatic merge from submit-queue.

UPSTREAM: <carry>: Remove write permissions on daemonsets from Kubernetes bootstrap policy

Due to how daemonsets interact with the project node selector, we need to limit write access to them to the cluster admin.

Bug 1536304
Bug 1501514

Signed-off-by: Monis Khan <mkhan>

/kind bug
/assign @liggitt @deads2k @simo5 @smarterclayton
@openshift/sig-security

/cherrypick release-3.9

Comment 14 Tomáš Nožička 2018-03-14 15:37:11 UTC

3.9 PR:
https://github.com/openshift/origin/pull/18977

Comment 15 Chuan Yu 2018-03-16 08:44:28 UTC

Verified.

# openshift version
openshift v3.9.11
kubernetes v1.9.1+a0ce1bc657
etcd 3.2.16

Comment 16 openshift-github-bot 2018-03-16 13:20:54 UTC

Commit pushed to master at https://github.com/openshift/openshift-docs

https://github.com/openshift/openshift-docs/commit/ea979387b6c874dd99a2e5442b327edf15e20fa6
Undo changes to daemonset RBAC docs

Revert "Remove daemonset from RBAC docs"

This reverts commit 9912d863c3ff2c7333e4aaa42e4b6efe42abc3ec.

Revert "Removed link to Granting Users Daemonset Permissions as followup to PR#7981"

This reverts commit 015ed3852fd0344c6a49495db76277f0316ce832.

Bug 1536304
Bug 1501514

Comment 17 Chuan Yu 2018-05-04 01:17:10 UTC

This issue happen again.
# openshift version
openshift v3.9.27
kubernetes v1.9.1+a0ce1bc657

Comment 18 Chuan Yu 2018-05-04 02:36:01 UTC

Clone a new one to track.

Comment 19 Mo 2018-05-04 12:44:09 UTC

Per David Eads in https://bugzilla.redhat.com/show_bug.cgi?id=1555363#c5:

> https://github.com/openshift/ose/pull/1205 merged, so the controller doesn't
> create pods it knows will be rejected.  "fixing" the default role to
> disallow the creation of a daemonset was a bug.

The change is merged as of v3.9.26-1

This readds the deamonset permission as it is safe for normal users to have.  Thus this is the expected behavior.