Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be unavailable on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 1574773 - Project admin could create daemonsets in its namespace
Summary: Project admin could create daemonsets in its namespace
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: apiserver-auth
Version: 3.9.0
Hardware: Unspecified
OS: Unspecified
urgent
urgent
Target Milestone: ---
: 3.9.z
Assignee: Simo Sorce
QA Contact: Chuan Yu
URL:
Whiteboard:
Depends On:
Blocks: 1501514 1571093
TreeView+ depends on / blocked
 
Reported: 2018-05-04 02:33 UTC by Chuan Yu
Modified: 2018-05-04 12:44 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1536304
Environment:
Last Closed: 2018-05-04 12:44:29 UTC
Target Upstream Version:


Attachments (Terms of Use)

Comment 1 Chuan Yu 2018-05-04 02:37:13 UTC
This issue happen again.
# openshift version
openshift v3.9.27
kubernetes v1.9.1+a0ce1bc657

Comment 2 Mo 2018-05-04 12:44:29 UTC
Per David Eads in https://bugzilla.redhat.com/show_bug.cgi?id=1555363#c5:

> https://github.com/openshift/ose/pull/1205 merged, so the controller doesn't
> create pods it knows will be rejected.  "fixing" the default role to
> disallow the creation of a daemonset was a bug.

The change is merged as of v3.9.26-1

This readds the deamonset permission as it is safe for normal users to have.  Thus this is the expected behavior.


Note You need to log in before you can comment on or make changes to this bug.