Description of problem: We need permission to list / watch imagestream tags at cluster scope for dedicated-admin role in order to trigger certification scans. Version-Release number of selected component (if applicable): How reproducible: always Steps to Reproduce: 1. try to list istags for cluster 2. 3. Actual results: get told that user cannot list istags for entire cluster. Expected results: successfully list istags for entire cluster. Additional info:
Per request of Will, I'm also noting here that we'd like the ability to view these resources at a cluster level as well: builds buildconfigs We've sufficiently worked around the need for is/istags, but cluster-wide GET access for builds would be great.
Verified this bug on OCP 3.9: user will be able to check the images/imagestreamtags/builds/buildconfigs at cluster scope after granted the "dedicated-cluster-admin" clusterrole: Before granted "dedicated-cluster-admin": $ oc get imagestreamtags --all-namespaces Error from server (Forbidden): imagestreamtags.image.openshift.io is forbidden: User "bingli" cannot list imagestreamtags.image.openshift.io at the cluster scope: User "bingli" cannot list all imagestreamtags.image.openshift.io in the cluster $ oc get image --all-namespaces Error from server (Forbidden): images.image.openshift.io is forbidden: User "bingli" cannot list images.image.openshift.io at the cluster scope: User "bingli" cannot list all images.image.openshift.io in the cluster $ oc get build --all-namespaces Error from server (Forbidden): builds.build.openshift.io is forbidden: User "bingli" cannot list builds.build.openshift.io at the cluster scope: User "bingli" cannot list all builds.build.openshift.io in the cluster $ oc get bc --all-namespaces Error from server (Forbidden): buildconfigs.build.openshift.io is forbidden: User "bingli" cannot list buildconfigs.build.openshift.io at the cluster scope: User "bingli" cannot list all buildconfigs.build.openshift.io in the cluster After granted "dedicated-cluster-admin": # oc adm policy add-cluster-role-to-user dedicated-cluster-admin bingli cluster role "dedicated-cluster-admin" added: "bingli" $ oc get imagestreamtags --all-namespaces | wc -l 138 $ oc get image --all-namespaces | wc -l 122 $ oc get build --all-namespaces | wc -l 2 $ oc get bc --all-namespaces | wc -l 2
Hello Bing Li, Would you please verify this against a 3.7 cluster as well? Thank you!
Verified on OCP 3.7: User can be able to get images/imagestreamtags/builds/buildconfigs at cluster scope after granted the "dedicated-cluster-admin" clusterrole: $ oc get imagestreamtags --all-namespaces | wc -l 130 $ oc get image --all-namespaces | wc -l $ oc get build --all-namespaces | wc -l 5 $ oc get bc --all-namespaces | wc -l 5