Bug 1697638 - cluster-reader aggregate role should have access to view all cluster config maps and CRs (but not secrets)
Summary: cluster-reader aggregate role should have access to view all cluster config m...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: apiserver-auth
Version: 4.1.0
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ---
: 4.1.0
Assignee: Erica von Buelow
QA Contact: Chuan Yu
URL:
Whiteboard:
: 1698819 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-04-08 21:20 UTC by Clayton Coleman
Modified: 2019-06-04 10:47 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-06-04 10:47:18 UTC
Target Upstream Version:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:0758 0 None None None 2019-06-04 10:47:29 UTC

Description Clayton Coleman 2019-04-08 21:20:31 UTC 
cluster-reader is what I can use to see a cluster.  Since global config CR and config maps are not secret nor escalating, I should either be able to view them, or view a subset of them.
Comment 1 Ryan Phillips 2019-04-10 23:58:34 UTC 
PR: https://github.com/openshift/origin/pull/22533
Comment 2 Mo 2019-04-11 11:15:34 UTC 
*** Bug 1698819 has been marked as a duplicate of this bug. ***
Comment 3 Ryan Phillips 2019-04-17 21:18:01 UTC 
Updated PR: https://github.com/openshift/cluster-config-operator/pull/47
Closed the previously posted PR.
Comment 4 Ryan Phillips 2019-04-23 21:13:38 UTC 
https://github.com/openshift/cluster-config-operator/pull/47 merged with the `system:openshift:cluster-config-operator:cluster-reader` cluster role.
Comment 6 Chuan Yu 2019-04-24 03:12:41 UTC 
The 4.1.0-0.nightly-2019-04-23-223857 not include this fix.

$ oc adm release info --pullspecs registry.svc.ci.openshift.org/ocp/release:4.1.0-0.nightly-2019-04-23-223857 | grep cluster-config-operator
  cluster-config-operator                       quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:265689fce27a37057f1dbec76764a6c4d659d3fc3e542e499e2918fab1ba47b7

$ oc image info quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:265689fce27a37057f1dbec76764a6c4d659d3fc3e542e499e2918fab1ba47b7 | grep -A 6 commit.id
             io.openshift.build.commit.id=f53033e30ed457046b1b77f8259e99d5b3b55f2e
             io.openshift.build.commit.url=https://github.com/openshift/cluster-config-operator/commit/f53033e30ed457046b1b77f8259e99d5b3b55f2e
             io.openshift.build.source-location=https://github.com/openshift/cluster-config-operator
             io.openshift.release.operator=true
             io.openshift.tags=openshift,base
             name=openshift/ose-cluster-config-operator
             release=201904211700
Comment 7 Ryan Phillips 2019-04-24 19:05:45 UTC 
There was an issue with image promotions yesterday. I verified that this is working in https://origin-release.svc.ci.openshift.org/releasestream/4.1.0-0.okd/release/4.1.0-0.okd-2019-04-24-182549.
Comment 8 Chuan Yu 2019-04-25 08:27:05 UTC 
Verified.

$ oc get clusterversion
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.1.0-0.nightly-2019-04-25-002910   True        False         5h22m   Cluster version is 4.1.0-0.nightly-2019-04-25-002910
Comment 10 errata-xmlrpc 2019-06-04 10:47:18 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:0758
Note You need to log in before you can comment on or make changes to this bug.