Description of problem: Login kibana as kubeadmin, try to create pattern for infra indices. the infra indices couldn't be retrieved. (Hint: you can create infra pattern using the users with cluster-admin role) Version-Release number of selected component (if applicable): 4.5 latest CI images How reproducible: always Steps to Reproduce: 1. Loging kibana as kubeadmin 2. Try to create pattern for infra indices Actual results: The kubeadmin couldn't retrive the infra indices
I'll need to ask the auth team to carify. Results from my test: $ oc whoami kube:admin $ oc auth can-i get pods --subresource=log -n default --token=$(oc whoami -t) yes $ oc auth can-i get pods --subresource=log -n default --as=kubeadmin no $ oc auth can-i get pods --subresource=log -n default --as=kube:admin no
Full ref to the answer but this is not a bug: https://coreos.slack.com/archives/CB48XQ4KZ/p1588874315324400 Stefan Schimanski 3 hours ago // BootstrapUser is the magic bootstrap OAuth user that can perform any action BootstrapUser = "kube:admin" Stefan Schimanski 3 hours ago kube:admin is not subject of rbac at all This implies the experience one would see as "kube:admin" and using our designed access would evaluate in the same way as "oc auth can-i" since they both use a SAR to evaluate RBAC. Closing NOTABUG