Bug 1744488
| Summary: | The common users cannot use the resource provided by the 3rd level operator | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Jian Zhang <jiazha> |
| Component: | OLM | Assignee: | Alec Merdler <amerdler> |
| OLM sub component: | OLM | QA Contact: | Jian Zhang <jiazha> |
| Status: | CLOSED ERRATA | Docs Contact: | |
| Severity: | high | ||
| Priority: | high | CC: | bandrade, chuo, jfan, scolange |
| Version: | 4.2.0 | ||
| Target Milestone: | --- | ||
| Target Release: | 4.2.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-10-16 06:37:16 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Jian Zhang
2019-08-22 09:39:01 UTC
I can get the etcdcluster permission well in the backend. mac:~ jianzhang$ oc whoami jiazha mac:~ jianzhang$ oc get etcdcluster No resources found. mac:~ jianzhang$ oc project Using project "jian" on server "https://api.qe-gpei-proxy-pub.qe.devcluster.openshift.com:6443". This issue is caused because namespace admins only have a `RoleBinding` to the "admin" `ClusterRole`, which doesn't allow them to view cluster-scoped resources (like CRDs). Simply creating a `ClusterRoleBinding` to the "global-operators-admin" `ClusterRole` will provide the right permissions.
For reference, OLM creates and maintains `ClusterRoles` for each Operator-provided API. These `ClusterRoles` are all aggregated to the associated general `ClusterRoles` (`view`, `edit`, and `admin`).
For this case, you should have the following `ClusterRole` on your cluster:
$ kubectl get clusterrole etcdclusters.etcd.database.coreos.com-v1beta2-crdview -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
olm.opgroup.permissions/aggregate-to-view: global-operators
olm.owner: etcdoperator.v0.9.4-clusterwide
olm.owner.kind: ClusterServiceVersion
olm.owner.namespace: openshift-operators
rbac.authorization.k8s.io/aggregate-to-view: "true"
name: etcdclusters.etcd.database.coreos.com-v1beta2-crdview
rules:
- apiGroups:
- apiextensions.k8s.io
resourceNames:
- etcdclusters.etcd.database.coreos.com
resources:
- customresourcedefinitions
verbs:
- get
Notice the `rbac.authorization.k8s.io/aggregate-to-view: "true"` label.
Running `oc get etcdcluster` works because you are fetching instances of a custom resource in your namespace, not the cluster-scoped `CustomResourceDefinition` itself.
Hi, Alec
Thanks for your information!
> Simply creating a `ClusterRoleBinding` to the "global-operators-admin" `ClusterRole` will provide the right permissions.
Yes, I understand. But, I don't think the common user has this permission. As we did before on Web console, the common user can use these operators' resource directly. No more operations.
Error from server (Forbidden): error when creating "clusrterrolebinding.yaml": clusterrolebindings.rbac.authorization.k8s.io is forbidden: User "pm1" cannot create resource "clusterrolebindings" in API group "rbac.authorization.k8s.io" at the cluster scope
For now, need the cluster-admin users to create permission for the common users? I don't think this is a good idea.
Because the common users should use these operators' resource directly. And, as we did for those template resources.
Console version: io.openshift.build.commit.url=https://github.com/openshift/console/commit/e7ab3a9cfabb276a69d546bef9060401915b0b8b Cluster version is 4.2.0-0.nightly-2019-09-06-234022 1, Install ocp 4.2. 2, Login as the cluster-admin user and create an operator for the whole cluster, for example, etcd-operator. mac:~ jianzhang$ oc get sub -n openshift-operators NAME PACKAGE SOURCE CHANNEL etcd etcd community-operators clusterwide-alpha mac:~ jianzhang$ oc get csv -n openshift-operators NAME DISPLAY VERSION REPLACES PHASE etcdoperator.v0.9.4-clusterwide etcd 0.9.4-clusterwide etcdoperator.v0.9.2-clusterwide Succeeded 3, Logout and login in the cluster as a common user on the web console. Create a project called "jian". "Operators" -> "Installed Operators" -> etcd -> "etcd cluster" create instance. Like below, it works as expected, verify it. Thanks! mac:~ jianzhang$ oc get pod -n jian NAME READY STATUS RESTARTS AGE example-fh7hdjhncw 1/1 Running 0 3m27s example-gfjz82cvj9 1/1 Running 0 2m54s example-nn5lw9lsv4 1/1 Running 0 4m7s mac:~ jianzhang$ oc get etcdcluster -n jian NAME AGE example 4m17s Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:2922 |