Bug 1555363 - Project admin could create daemonsets in its namespace
Summary: Project admin could create daemonsets in its namespace
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: apiserver-auth
Version: 3.10.0
Hardware: Unspecified
OS: Unspecified
urgent
high
Target Milestone: ---
: 3.10.0
Assignee: Simo Sorce
QA Contact: Chuan Yu
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-03-14 14:43 UTC by Tomáš Nožička
Modified: 2018-05-04 12:42 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
undefined
Clone Of: 1536304
Environment:
Last Closed: 2018-05-04 12:42:47 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Comment 1 Tomáš Nožička 2018-03-14 14:45:31 UTC 
https://github.com/openshift/origin/pull/18971
Comment 2 Chuan Yu 2018-03-28 06:15:56 UTC 
Verified.
# openshift version
openshift v3.10.0-0.14.0
kubernetes v1.9.1+a0ce1bc657
etcd 3.2.16
Comment 3 Chuan Yu 2018-04-23 09:21:37 UTC 
The issue present again,

# openshift version
openshift v3.10.0-0.27.0
kubernetes v1.10.0+b81c8f8
etcd 3.2.16
Comment 4 Mo 2018-04-23 14:45:10 UTC 
David, where do we stand on this now?  I believe we are carrying a patch on the DS controller to make it a non issue?
Comment 5 David Eads 2018-04-23 17:58:04 UTC 
https://github.com/openshift/ose/pull/1205 merged, so the controller doesn't create pods it knows will be rejected.  "fixing" the default role to disallow the creation of a daemonset was a bug.
Comment 6 Simo Sorce 2018-04-23 18:33:25 UTC 
Setting to modified to indicate it should be fixed as David mentioned
Comment 7 Mo 2018-05-04 12:42:47 UTC 
Per David Eads in https://bugzilla.redhat.com/show_bug.cgi?id=1555363#c5:

> https://github.com/openshift/ose/pull/1205 merged, so the controller doesn't
> create pods it knows will be rejected.  "fixing" the default role to
> disallow the creation of a daemonset was a bug.

The change is merged as of v3.9.26-1

This readds the deamonset permission as it is safe for normal users to have.  Thus this is the expected behavior.
Note You need to log in before you can comment on or make changes to this bug.