I'm told that David or Clayton can point you to where to fix this, but the 'cluster-reader' role is unable to read the samples operator config. Since this is not a priv escalation, to read the config, it should be allowed.
(In reply to Eric Paris from comment #0) > I'm told that David or Clayton can point you to where to fix this, but the > 'cluster-reader' role is unable to read the samples operator config. Since > this is not a priv escalation, to read the config, it should be allowed. Pretty sure this applies to all of the operator resources we have in the operator.openshift.io group.
See oc get clusterrole.rbac system:openshift:cluster-config-operator:cluster-reader -o yaml as example for how the we handle the config resources
ooh PR ref automatically added with the new git/bugzilla bot
Steve K did some amazing work starting to get these systems to work together.
Verified with 4.2.0-0.nightly-2019-08-01-035705 version. Add system:openshift:cluster-samples-operator:cluster-reader clusterrole to a common user. #oc adm policy add-cluster-role-to-user system:openshift:cluster-samples-operator:cluster-reader xiuwang1 Then user could fetch the samples operator crd. $oc whoami xiuwang1 $oc get config.samples.operator NAME AGE cluster 11m $oc patch config.samples.operator cluster -p '{"spec":{"managementState": "Unmanaged"}}' Error from server (Forbidden): configs.samples.operator.openshift.io "cluster" is forbidden: User "xiuwang1" cannot patch resource "configs" in API group "samples.operator.openshift.io" at the cluster scope
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:2922