Description of problem: The "cluster-admin" permission is very high, we should grant other clusterrole to the "olm-operator-serviceaccount". The issue is here: https://github.com/openshift/openshift-ansible/blob/master/roles/olm/files/02-alm-operator.rolebinding.yaml#L10 Version-Release number of selected component (if applicable): openshift-ansible master branch How reproducible: always Steps to Reproduce: 1. Install the OLM via the openshift-ansible 2. Check the clusterrolebinding "olm-operator-binding-operator-lifecycle-manager" Actual results: [root@qe-azure-master-etcd-1 ~]# oc get clusterrolebinding | grep olm olm-operator-binding-operator-lifecycle-manager /cluster-admin operator-lifecycle-manager/olm-operator-serviceaccount [root@qe-azure-master-etcd-1 ~]# oc get clusterrolebinding olm-operator-binding-operator-lifecycle-manager -o yaml apiVersion: authorization.openshift.io/v1 groupNames: null kind: ClusterRoleBinding metadata: creationTimestamp: 2018-09-04T02:55:50Z name: olm-operator-binding-operator-lifecycle-manager resourceVersion: "3681" selfLink: /apis/authorization.openshift.io/v1/clusterrolebindings/olm-operator-binding-operator-lifecycle-manager uid: 080be9a6-afee-11e8-8e1b-000d3a046897 roleRef: name: cluster-admin subjects: - kind: ServiceAccount name: olm-operator-serviceaccount namespace: operator-lifecycle-manager userNames: - system:serviceaccount:operator-lifecycle-manager:olm-operator-serviceaccount Expected results: The "olm-operator-serviceaccount" should not use the "cluster-admin". Additional info:
OLM creates new API groups and needs to grant access to those API groups (e.g. adding them to the aggregated view and edit roles). I don't know of a role we could construct that would allow OLM to do this without cluster-admin. For example: - User installs OLM - User uses OLM to install Etcd Operator - OLM installs EtcdCluster CRD - OLM needs to create an aggregated role for Group: "etcd.database.coreos.com/v1beta2", kind: "EtcdCluster" - In order to create the Role it must have a superset of those permissions, but it can't because OLM doesn't know ahead of time what kinds a user will register via OLM. - The only solution I know of is to grant access to all groups. OLM is a controller over the api layer, much like the aggregation controller: https://github.com/kubernetes/kubernetes/blob/7f23a743e8c23ac6489340bbb34fa6f1d392db9d/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go#L81-L88 (it is also granted * *) To fall in line with the boostrapped policy convention, I've added a ClusterRole for olm which explicitly states that it needs that permission. I'll update here when that change is merged.
Haven't fix yet.
This is fixed here: https://github.com/openshift/openshift-ansible/pull/9949 not merged yet
The fix is merged.
LGTM, verify it. [root@qe-juzhao-311-gce-1-master-etcd-1 ~]# oc get clusterrolebinding olm-operator-binding-operator-lifecycle-manager -o yaml apiVersion: authorization.openshift.io/v1 groupNames: null kind: ClusterRoleBinding metadata: creationTimestamp: 2018-09-11T03:29:24Z name: olm-operator-binding-operator-lifecycle-manager resourceVersion: "41478" selfLink: /apis/authorization.openshift.io/v1/clusterrolebindings/olm-operator-binding-operator-lifecycle-manager uid: e11efebd-b572-11e8-b1e8-42010af0000c roleRef: name: system:controller:operator-lifecycle-manager subjects: - kind: ServiceAccount name: olm-operator-serviceaccount namespace: operator-lifecycle-manager userNames: - system:serviceaccount:operator-lifecycle-manager:olm-operator-serviceaccount [root@qe-juzhao-311-gce-1-master-etcd-1 ~]# oc get clusterrole system:controller:operator-lifecycle-manager -o yaml apiVersion: authorization.openshift.io/v1 kind: ClusterRole metadata: creationTimestamp: 2018-09-11T03:29:20Z name: system:controller:operator-lifecycle-manager resourceVersion: "41470" selfLink: /apis/authorization.openshift.io/v1/clusterroles/system%3Acontroller%3Aoperator-lifecycle-manager uid: df1c9f4e-b572-11e8-b1e8-42010af0000c rules: - apiGroups: - '*' attributeRestrictions: null resources: - '*' verbs: - '*' - apiGroups: null attributeRestrictions: null nonResourceURLs: - '*' resources: [] verbs: - '*'
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:2652