Bug 1805833 - Excessive permissions for prometheus-operator cluster-role
Summary: Excessive permissions for prometheus-operator cluster-role
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Monitoring
Version: 4.3.0
Hardware: Unspecified
OS: Unspecified
unspecified
low
Target Milestone: ---
: 4.3.z
Assignee: Paul Gier
QA Contact: Junqi Zhao
URL:
Whiteboard:
Depends On: 1795538
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-02-21 15:54 UTC by Sergiusz Urbaniak
Modified: 2023-09-07 21:59 UTC (History)
13 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1795538
Environment:
Last Closed: 2020-04-20 17:08:56 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift prometheus-operator pull 60 0 None closed Bug 1805833: Tighten permissions related to CRD create/update 2020-09-21 05:48:37 UTC
Red Hat Product Errata RHBA-2020:1482 0 None None None 2020-04-20 17:09:17 UTC

Comment 2 Paul Gier 2020-04-06 21:44:18 UTC
I created a PR for openshift/prometheus-operator, however, it looks like the release-4.3 branch of cluster-monitoring-operator is pointing to the jsonnet content of the upstream release-0.34 branch.  Do we want to backport this patch upstream, or should cluster-monitoring-operator point at the downstream prometheus-operator branch?

Comment 8 Junqi Zhao 2020-04-15 05:45:57 UTC
issue is fixed with 4.3.0-0.nightly-2020-04-13-190424, verification steps:
grant cluster-reader role to user

# oc adm policy add-cluster-role-to-user cluster-reader testuser-11

# oc login with the user to the cluster and check
# check the crd oauths.config.openshift.io before deletion
$ oc get crd oauths.config.openshift.io
NAME                         CREATED AT
oauths.config.openshift.io   2020-04-15T01:55:37Z

$ oc describe sa -n openshift-monitoring prometheus-operator
Name:                prometheus-operator
Namespace:           openshift-monitoring
Labels:              app.kubernetes.io/component=controller
                     app.kubernetes.io/name=prometheus-operator
                     app.kubernetes.io/version=v0.34.1
Annotations:         <none>
Image pull secrets:  prometheus-operator-dockercfg-v5nb9
Mountable secrets:   prometheus-operator-token-q4k9f
                     prometheus-operator-dockercfg-v5nb9
Tokens:              <none>
Events:              <none>


$ token=$(oc -n openshift-monitoring get secret prometheus-operator-token-q4k9f -ojsonpath="{.data.token}" | base64 -d)
Error from server (Forbidden): secrets "prometheus-operator-token-q4k9f" is forbidden: User "testuser-11" cannot get resource "secrets" in API group "" in the namespace "openshift-monitoring"

$ oc --token=$token delete crd oauths.config.openshift.io
Error from server (Forbidden): customresourcedefinitions.apiextensions.k8s.io "oauths.config.openshift.io" is forbidden: User "testuser-11" cannot delete resource "customresourcedefinitions" in API group "apiextensions.k8s.io" at the cluster scope

Comment 10 errata-xmlrpc 2020-04-20 17:08:56 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:1482


Note You need to log in before you can comment on or make changes to this bug.