Description of problem: Got below errors when creating the etcdcluster resource: customresourcedefinitions.apiextensions.k8s.io "etcdclusters.etcd.database.coreos.com" is forbidden: User "jiazha" cannot get resource "customresourcedefinitions" in API group "apiextensions.k8s.io" at the cluster scope Version-Release number of selected component (if applicable): 4.2.0-0.nightly-2019-08-21-235427 mac:~ jianzhang$ oc -n openshift-operator-lifecycle-manager exec catalog-operator-6b8945b7f7-qppcv -- olm --version OLM version: 0.11.0 git commit: e1ca8132e3b96fe68fd6fae57f56f7749b99c308 How reproducible: always Steps to Reproduce: 1. Install an OCP 4.2 with proxy. mac:~ jianzhang$ oc get proxy cluster -o yaml apiVersion: config.openshift.io/v1 kind: Proxy metadata: creationTimestamp: "2019-08-22T06:28:18Z" generation: 2 name: cluster resourceVersion: "69320" selfLink: /apis/config.openshift.io/v1/proxies/cluster uid: 07c2a392-c4a6-11e9-8cf0-0050568b2275 spec: httpProxy: http://proxy-user1:JYgU8qRZV4DY4PXJbxJK@139.178.76.57:3128 httpsProxy: http://proxy-user1:JYgU8qRZV4DY4PXJbxJK@139.178.76.57:3128 noProxy: test.no-proxy.com,control-plane-0,compute-0,compute-1 trustedCA: name: "" status: httpProxy: http://proxy-user1:JYgU8qRZV4DY4PXJbxJK@139.178.76.57:3128 httpsProxy: http://proxy-user1:JYgU8qRZV4DY4PXJbxJK@139.178.76.57:3128 noProxy: .cluster.local,.svc,10.128.0.0/14,127.0.0.1,172.30.0.0/16,api-int.qe-gpei-proxy-pub.qe.devcluster.openshift.com,api.qe-gpei-proxy-pub.qe.devcluster.openshift.com,compute-0,compute-1,control-plane-0,etcd-0.qe-gpei-proxy-pub.qe.devcluster.openshift.com,localhost,test.no-proxy.com 2. Login the cluster as the cluster-admin user. 3. Install the etcd operator, select the cluster-wide version. 4. Logout and login the cluster as a common user. 5, create a project. 6, Click the "Developer" -> "Topology" -> "Browse Catalog" -> "etcd Cluster" -> "Create" Actual results: Got the below errors: customresourcedefinitions.apiextensions.k8s.io "etcdclusters.etcd.database.coreos.com" is forbidden: User "jiazha" cannot get resource "customresourcedefinitions" in API group "apiextensions.k8s.io" at the cluster scope Expected results: The common user can create the etcdcluster resource successfully. Additional info: I also checked other operators, such as descheduler, got the same issue. For me, I think this issue is nothing with the proxy setting, but CRD permission. Correct me if I'm wrong. Please feel free to move to the appropriate component. mac:~ jianzhang$ oc get rolebinding admin -o yaml apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: creationTimestamp: "2019-08-22T08:53:18Z" name: admin namespace: jian resourceVersion: "67811" selfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/jian/rolebindings/admin uid: 4916cf3c-c4ba-11e9-9e48-0050568bf2b5 roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: admin subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: jiazha mac:~ jianzhang$ oc get clusterrole admin -o yaml|grep -i "etcdcluster" -A 5 - etcdclusters verbs: - create - update - patch - delete -- - etcdclusters.etcd.database.coreos.com resources: - customresourcedefinitions verbs: - get - apiGroups: -- - etcdclusters verbs: - get - list - watch - apiGroups: -- - etcdclusters verbs: - '*' - apiGroups: - etcd.database.coreos.com resources:
I can get the etcdcluster permission well in the backend. mac:~ jianzhang$ oc whoami jiazha mac:~ jianzhang$ oc get etcdcluster No resources found. mac:~ jianzhang$ oc project Using project "jian" on server "https://api.qe-gpei-proxy-pub.qe.devcluster.openshift.com:6443".
This issue is caused because namespace admins only have a `RoleBinding` to the "admin" `ClusterRole`, which doesn't allow them to view cluster-scoped resources (like CRDs). Simply creating a `ClusterRoleBinding` to the "global-operators-admin" `ClusterRole` will provide the right permissions. For reference, OLM creates and maintains `ClusterRoles` for each Operator-provided API. These `ClusterRoles` are all aggregated to the associated general `ClusterRoles` (`view`, `edit`, and `admin`). For this case, you should have the following `ClusterRole` on your cluster: $ kubectl get clusterrole etcdclusters.etcd.database.coreos.com-v1beta2-crdview -o yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: olm.opgroup.permissions/aggregate-to-view: global-operators olm.owner: etcdoperator.v0.9.4-clusterwide olm.owner.kind: ClusterServiceVersion olm.owner.namespace: openshift-operators rbac.authorization.k8s.io/aggregate-to-view: "true" name: etcdclusters.etcd.database.coreos.com-v1beta2-crdview rules: - apiGroups: - apiextensions.k8s.io resourceNames: - etcdclusters.etcd.database.coreos.com resources: - customresourcedefinitions verbs: - get Notice the `rbac.authorization.k8s.io/aggregate-to-view: "true"` label. Running `oc get etcdcluster` works because you are fetching instances of a custom resource in your namespace, not the cluster-scoped `CustomResourceDefinition` itself.
Hi, Alec Thanks for your information! > Simply creating a `ClusterRoleBinding` to the "global-operators-admin" `ClusterRole` will provide the right permissions. Yes, I understand. But, I don't think the common user has this permission. As we did before on Web console, the common user can use these operators' resource directly. No more operations. Error from server (Forbidden): error when creating "clusrterrolebinding.yaml": clusterrolebindings.rbac.authorization.k8s.io is forbidden: User "pm1" cannot create resource "clusterrolebindings" in API group "rbac.authorization.k8s.io" at the cluster scope For now, need the cluster-admin users to create permission for the common users? I don't think this is a good idea. Because the common users should use these operators' resource directly. And, as we did for those template resources.
Console version: io.openshift.build.commit.url=https://github.com/openshift/console/commit/e7ab3a9cfabb276a69d546bef9060401915b0b8b Cluster version is 4.2.0-0.nightly-2019-09-06-234022 1, Install ocp 4.2. 2, Login as the cluster-admin user and create an operator for the whole cluster, for example, etcd-operator. mac:~ jianzhang$ oc get sub -n openshift-operators NAME PACKAGE SOURCE CHANNEL etcd etcd community-operators clusterwide-alpha mac:~ jianzhang$ oc get csv -n openshift-operators NAME DISPLAY VERSION REPLACES PHASE etcdoperator.v0.9.4-clusterwide etcd 0.9.4-clusterwide etcdoperator.v0.9.2-clusterwide Succeeded 3, Logout and login in the cluster as a common user on the web console. Create a project called "jian". "Operators" -> "Installed Operators" -> etcd -> "etcd cluster" create instance. Like below, it works as expected, verify it. Thanks! mac:~ jianzhang$ oc get pod -n jian NAME READY STATUS RESTARTS AGE example-fh7hdjhncw 1/1 Running 0 3m27s example-gfjz82cvj9 1/1 Running 0 2m54s example-nn5lw9lsv4 1/1 Running 0 4m7s mac:~ jianzhang$ oc get etcdcluster -n jian NAME AGE example 4m17s
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:2922