Description of problem: normal user forbid to start a vm Version-Release number of selected component (if applicable): HCO2.0.0-29 How reproducible: always Steps to Reproduce: 1.create Secret and OAuth by using below script https://raw.githubusercontent.com/cucushift/IDP/master/htpasswd.sh the user can be created 2 give user edit role # oc adm policy add-cluster-role-to-user edit pm2 cluster role "edit" added: "pm2" 3 login # oc login -u pm2 -p redhat Login successful. 4 create a vm and use virtctl to start vm # oc create -f re-user.yaml virtualmachine.kubevirt.io/re-cirros created # virtctl start re-cirros Actual results: Error starting VirtualMachine virtualmachines.subresources.kubevirt.io "re-cirros" is forbidden: User "pm2" cannot update resource "virtualmachines/start" in API group "subresources.kubevirt.io" in the namespace "default" Expected results: vm can be start/stop/restart Additional info: we have one bug in cnv1.4 https://bugzilla.redhat.com/show_bug.cgi?id=1666704
Unfortunately after applying the the same patch as for the restart command in the mentioned CNV 1.4 bz, I'm running into another error. Investigating.
Although the ordinary user was not allowed to start/restart/stop VM using virtctl, it can do these operations successfully on the web console. [root@dell-r730-028 ~]# oc whoami pm3 [root@dell-r730-028 ~]# oc auth can-i start vm no [root@dell-r730-028 ~]# oc auth can-i restart vm no [root@dell-r730-028 ~]# oc auth can-i stop vm no
I'm not sure RBAC system can recognize or even have verbs(start/restart/stop) as "oc auth can-i" tool didn't check verbs spelling, but VM can't be updated. [root@dell-r730-028 ~]# oc auth can-i update vm yes
Sorry, typo. should be "but VM can be updated"
Fixed it, PR on master: https://github.com/kubevirt/kubevirt/pull/2391 @Qixuan, the correct syntax imho for subresources would be "oc auth can-i update vm --subresource=start", but that also doesn't work. I assume the tool does not deal correctly with resources defined by CRDs and subresources by aggregated API server.
*** Bug 1721025 has been marked as a duplicate of this bug. ***
PR on release-0.17 branch: https://github.com/kubevirt/kubevirt/pull/2394
verify with build: hco-bundle-registry-container-v2.0.0-32 create and give edit role to user $ oc adm policy add-cluster-role-to-user edit pm2 cluster role "edit" added: "pm2" login cluster $ oc login -u pm2 -p redhat Login successful. $ oc create -f no-user.yaml virtualmachine.kubevirt.io/vm-cirros created $ virtctl start vm-cirros VM vm-cirros was scheduled to start $ oc get vmi NAME AGE PHASE IP NODENAME vm-cirros 125m Running xx.xx.xx.xx host-172-16-0-15 $ virtctl restart vm-cirros VM vm-cirros was scheduled to restart $ virtctl stop vm-cirros VM vm-cirros was scheduled to stop but when I run cmd: $ oc whoami pm2 $ oc auth can-i update vm --subresource=start no $ oc auth can-i update vm --subresource=restart no Hi Marc, Is this an issue for the tool? not for cnv, right?
right, see comment 5
per comment 9&10, move to verified.