Bug 1684344 - RoleBindingRestriction need move to CRD for 4.x
Summary: RoleBindingRestriction need move to CRD for 4.x
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: apiserver-auth
Version: 4.1.0
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ---
: 4.1.0
Assignee: Sally
QA Contact: Chuan Yu
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-03-01 03:02 UTC by Chuan Yu
Modified: 2019-06-04 10:44 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-06-04 10:44:51 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:0758 0 None None None 2019-06-04 10:44:57 UTC

Description Chuan Yu 2019-03-01 03:02:23 UTC
Description of problem:
rolebindingrestrction for 4.x not working well

Version-Release number of selected component (if applicable):
4.0.0-0.nightly-2019-02-26-125216

How reproducible:
always

Steps to Reproduce:
1.config kubeapiserver cluster with:
spec:
  unsupportedConfigOverrides:
    admissionConfig:
      pluginConfig:
        openshift.io/RestrictSubjectBindings:
          configuration:
            apiversion: v1
            kind: DefaultAdmissionConfig

2.create a user restriction rolebindingrestrion for ns pm1(user pm1 is owner):

apiVersion: v1
kind: RoleBindingRestriction
metadata:
  name: match-users
spec:
  userrestriction:
    users: [""]

3.try to add view role to other user by user pm1
oc policy add-role-to-user view pm3

Actual results:
Add view role to other user successfully

Expected results:
could not add role to other users, and should should report error like:
rror from server (Forbidden): rolebindings.rbac.authorization.k8s.io "view" is forbidden: rolebindings to User "pm3" are not allowed in project "pm1"

Additional info:

Comment 1 Erica von Buelow 2019-03-06 16:01:10 UTC
https://github.com/openshift/origin/pull/22254

Comment 4 Chuan Yu 2019-03-14 06:50:56 UTC
Verified.

$ oc get clusterversion
NAME      VERSION                            
version   4.0.0-0.nightly-2019-03-13-233958

Comment 5 Chuan Yu 2019-04-01 01:41:15 UTC
Since the changes reverted, https://github.com/openshift/origin/pull/22416 , re-open the issue.

Comment 9 Justin Pierce 2019-04-29 19:21:10 UTC
*** Bug 1703789 has been marked as a duplicate of this bug. ***

Comment 10 Sally 2019-05-01 19:30:42 UTC
Series of PRS landing today/tomorrow in origin & cluster-config-operator to resolve, convert RBRs to CRD

Comment 13 Sally 2019-05-04 18:07:51 UTC
PRs merged, RBRs are now CRDs.
The issue originally reported in this BZ still exists, however. 

1) set up htpasswd, add non-admin user testuser
2) login as testuser, create-project test
3) login as system:admin
4) create rbr:
apiVersion: authorization.openshift.io/v1
kind: RoleBindingRestriction
metadata:
  name: match-users
spec:
  userrestriction: 
    users: [""]
5) login as user testuser
6) oc policy add-role-to-user view user3

Actual results:
Add view role to user3 successfully

Expected results:
could not add role to other users, and should should report error like:
rror from server (Forbidden): rolebindings.rbac.authorization.k8s.io "view" is forbidden: rolebindings to User "user3" are not allowed in project "test"

Will be looking into this Monday.

Comment 14 Sally 2019-05-05 21:25:44 UTC
tried again, same cluster, a day later, got the correct and expected:

$ oc policy add-role-to-user view testuser2
Error from server (Forbidden): rolebindings.rbac.authorization.k8s.io "view-0" is forbidden: rolebindings to User "testuser2" are not allowed in project "test"

I'll keep testing in fresh clusters.

Comment 16 Chuan Yu 2019-05-07 01:51:27 UTC
I have tried the userrestriction, it work as expected.

Comment 17 Chuan Yu 2019-05-07 01:51:51 UTC
Verified on 4.1.0-0.nightly-2019-05-06-223020

Comment 19 errata-xmlrpc 2019-06-04 10:44:51 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:0758


Note You need to log in before you can comment on or make changes to this bug.