Bug 1564269 - add list istags at cluster scope to dedicated-admin role in openshift dedicated.
Summary: add list istags at cluster scope to dedicated-admin role in openshift dedicated.
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: OpenShift Online
Classification: Red Hat
Component: RFE
Version: 3.x
Hardware: Unspecified
OS: Linux
unspecified
unspecified
Target Milestone: ---
: ---
Assignee: Abhishek Gupta
QA Contact: yasun
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-04-05 20:58 UTC by Brian Cook
Modified: 2018-05-29 14:12 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-05-29 14:12:51 UTC
Target Upstream Version:


Attachments (Terms of Use)

Description Brian Cook 2018-04-05 20:58:58 UTC
Description of problem:

We need permission to list / watch imagestream tags at cluster scope for dedicated-admin role in order to trigger certification scans.


Version-Release number of selected component (if applicable):


How reproducible:
always

Steps to Reproduce:
1. try to list istags for cluster
2. 
3.

Actual results:
get told that user cannot list istags for entire cluster.

Expected results:
successfully list istags for entire cluster.

Additional info:

Comment 1 Patrick Easters 2018-04-16 16:53:18 UTC
Per request of Will, I'm also noting here that we'd like the ability to view these resources at a cluster level as well:
builds
buildconfigs

We've sufficiently worked around the need for is/istags, but cluster-wide GET access for builds would be great.

Comment 4 Bing Li 2018-04-19 09:53:45 UTC
Verified this bug on OCP 3.9: 

user will be able to check the images/imagestreamtags/builds/buildconfigs at cluster scope after granted the "dedicated-cluster-admin" clusterrole:

Before granted "dedicated-cluster-admin":

$ oc get imagestreamtags --all-namespaces 
Error from server (Forbidden): imagestreamtags.image.openshift.io is forbidden: User "bingli" cannot list imagestreamtags.image.openshift.io at the cluster scope: User "bingli" cannot list all imagestreamtags.image.openshift.io in the cluster

$ oc get image --all-namespaces 
Error from server (Forbidden): images.image.openshift.io is forbidden: User "bingli" cannot list images.image.openshift.io at the cluster scope: User "bingli" cannot list all images.image.openshift.io in the cluster

$ oc get build --all-namespaces 
Error from server (Forbidden): builds.build.openshift.io is forbidden: User "bingli" cannot list builds.build.openshift.io at the cluster scope: User "bingli" cannot list all builds.build.openshift.io in the cluster

$ oc get bc --all-namespaces 
Error from server (Forbidden): buildconfigs.build.openshift.io is forbidden: User "bingli" cannot list buildconfigs.build.openshift.io at the cluster scope: User "bingli" cannot list all buildconfigs.build.openshift.io in the cluster


After granted "dedicated-cluster-admin":

# oc adm policy add-cluster-role-to-user dedicated-cluster-admin bingli
cluster role "dedicated-cluster-admin" added: "bingli"

$ oc get imagestreamtags --all-namespaces | wc -l
138
$ oc get image --all-namespaces | wc -l
122
$ oc get build --all-namespaces | wc -l
2
$ oc get bc --all-namespaces | wc -l
2

Comment 5 Will Gordon 2018-04-19 13:13:04 UTC
Hello Bing Li,

Would you please verify this against a 3.7 cluster as well?

Thank you!

Comment 6 Bing Li 2018-04-20 03:20:31 UTC
Verified on OCP 3.7:

User can be able to get images/imagestreamtags/builds/buildconfigs at cluster scope after granted the "dedicated-cluster-admin" clusterrole:

$ oc get imagestreamtags --all-namespaces | wc -l
130
$ oc get image --all-namespaces | wc -l
$ oc get build --all-namespaces | wc -l
5
$ oc get bc --all-namespaces | wc -l
5


Note You need to log in before you can comment on or make changes to this bug.