Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1658209

Summary: Built-in user-facing clusterroles (admin, edit, etc.) missing rules for controller revisions
Product: OpenShift Container Platform Reporter: Simon Reber <sreber>
Component: apiserver-authAssignee: Stefan Schimanski <sttts>
Status: CLOSED NEXTRELEASE QA Contact: Chuan Yu <chuyu>
Severity: medium Docs Contact:
Priority: high    
Version: 3.9.0CC: aos-bugs, evb, nagrawal, slaznick
Target Milestone: ---   
Target Release: 3.9.z   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1768878 (view as bug list) Environment:
Last Closed: 2019-06-25 07:33:43 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Simon Reber 2018-12-11 14:14:40 UTC 
Description of problem:

Running OpenShift Container Platform 3.9, the command `oc rollout history statefulset/<statefulset>` is failing with the below error.

error: unable to find history controlled by StatefulSet <statefulset>: controllerrevisions.apps is forbidden: User "test" cannot list controllerrevisions.apps in the namespace "project": User "test" cannot list controllerrevisions.apps in project "project"

Checking on `master-api` logs, the following is reported.

Dec 11 08:50:59 master-0.example.com atomic-openshift-master-api[86611]: I1211 08:50:59.883742   86611 rbac.go:116] RBAC DENY: user "test" groups ["system:authenticated:oauth" "system:authenticated"] cannot "list" resource "controllerrevisions.apps" in namespace "project"


$ oc get rolebinding -n project
NAME                    ROLE                    USERS          GROUPS     SERVICE ACCOUNTS   SUBJECTS
admin                   /admin                  system:admin                                                          
admin-0                 /admin                  test    


Looking upstream, I can see the following issue and fix

 + https://github.com/kubernetes/kubernetes/issues/70697
 + https://github.com/kubernetes/kubernetes/pull/70699

Looks quite similar to what we have in this case. But the fix from https://github.com/kubernetes/kubernetes/pull/70699 does not seem to work.

Added `controllerrevisions` to `apps` API group in `system:aggregate-to-view` but that does not help:

# oc get clusterrole system:aggregate-to-view -o yaml | grep -b5 controllerrevisions
1166-  - watch
1176-- apiGroups:
1189-  - apps
1198-  attributeRestrictions: null
1228-  resources:
1241:  - controllerrevisions
1265-  - daemonsets
1280-  - deployments
1296-  - deployments/scale
1318-  - replicasets
1334-  - replicasets/scale
                            

Version-Release number of selected component (if applicable):
v3.9.51

How reproducible:
Always

Steps to Reproduce:
1. Create a statefulset within the OpenShift Container Platform - Cluster (specific project)
2. Add `admin` role to user
3. oc rollout history statefulset/<statefulset>

Actual results:

error: unable to find history controlled by StatefulSet <statefulset>: controllerrevisions.apps is forbidden: User "test" cannot list controllerrevisions.apps in the namespace "project": User "test" cannot list controllerrevisions.apps in project "project"

Expected results:

Revision histroy to be deployed (works with `cluster-admin` permissions)

oc rollout history statefulset/<statefulset> -n project
statefulsets "<statefulset>"
REVISION
0
1

Additional info:
Comment 2 Standa Laznicka 2019-05-29 14:16:20 UTC 
I believe this was solved on Slack by
"repeat add `controllerrevisions` to `apps` API group in `system:aggregate-to-view`" for `system:aggregate-to-edit` and `system:aggregate-to-admin`"

I'll close this BZ tomorrow unless that did not work for you.
Comment 4 Simon Reber 2019-06-25 07:33:43 UTC 
(In reply to Standa Laznicka from comment #2)
> I believe this was solved on Slack by
> "repeat add `controllerrevisions` to `apps` API group in
> `system:aggregate-to-view`" for `system:aggregate-to-edit` and
> `system:aggregate-to-admin`"
> 
> I'll close this BZ tomorrow unless that did not work for you.
Tested this and it seems to address the issue.