Bug 1843222 - Unable to import/run an image from other project
Summary: Unable to import/run an image from other project
Keywords:
Status: VERIFIED
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Dev Console
Version: 4.3.z
Hardware: Unspecified
OS: Unspecified
high
medium
Target Milestone: ---
: 4.6.0
Assignee: Jaivardhan Kumar
QA Contact: spathak@redhat.com
URL:
Whiteboard:
Depends On:
Blocks: 1875858
TreeView+ depends on / blocked
 
Reported: 2020-06-02 19:58 UTC by Miguel Figueiredo Nunes
Modified: 2020-09-09 14:20 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: in 4.x on import of image from other namespace for which user has edit access, rolebindings needed for image-puller rights are created on the namespace user is trying to import from and this fails as user don't have admin privileges to the namespace trying to import image from. Consequence: Self-provisioner user is unable to import image from other Project for which they have edit access Fix: Created rolebindings required for image-puller rights un the namespace user want's to import to. In 4.x we have added ability to automatically grant image-puller rights in the namespace unlike 3.x where user will be executing a `oc` command to give the permission Result: User can import/run an image from other Project if has edit access
Clone Of:
Environment:
Last Closed:
Target Upstream Version:


Attachments (Terms of Use)
Able to import/run an image from other project (66.13 KB, image/png)
2020-09-09 14:14 UTC, spathak@redhat.com
no flags Details
Unable to import/run an image from other project (42.93 KB, image/png)
2020-09-09 14:18 UTC, spathak@redhat.com
no flags Details


Links
System ID Priority Status Summary Last Updated
Github openshift console pull 6514 None closed Bug 1843222: fixes issue with internal image imports for self-provisioner with edi… 2020-09-08 13:31:01 UTC

Description Miguel Figueiredo Nunes 2020-06-02 19:58:03 UTC
Description of problem:
Customer unable to retrieve an image from another project using serviceaccounts in the Web UI

Version-Release number of selected component (if applicable):
4.x

How reproducible:
All times

Steps to Reproduce:
1. Create an user and give him only edit, deployer or image-puller rights
2. Execute the procedures in this document:
   https://docs.openshift.com/container-platform/4.3/openshift_images/managing_images/using-image-pull-secrets.html#images-allow-pods-to-reference-images-across-projects_using-image-pull-secrets

3. Try to create a new deploy getting an image from another project (project-a)

Actual results:
On Deploy Image->Image stream tag from internal registry, I got the message:

"Service account default does not have authority to pull images from project-b. Select another project to continue."

Expected results:

Be able to run an image from another project, since the necessary permissions were set based in the document referred above

Additional info:

This same process worked for the customer in the 3.x version. The customer is migrating his projects from the 3.x to 4.x

Comment 1 Maru Newby 2020-06-03 07:41:53 UTC
This appears to be an issue with the internal registry, not cluster auth. Reassigning.

Comment 6 Ben Silverman 2020-08-07 23:31:30 UTC
We are also having this issue. Did the following procedure above on a 4.3.8 cluster and assigned a user the "edit" role into another project. When the user enters the web console and tries to use the deploy an image from an internal registry they get the same "Service account default does not have authority to pull images from other_project. Select another project to continue" message. When the role of the user is changed to the admin role, it works fine, but anything below admin (basic-user, deployer, etc) fails.

Comment 9 spathak@redhat.com 2020-09-09 14:14:36 UTC
Created attachment 1714290 [details]
Able to import/run an image from other project

Comment 10 spathak@redhat.com 2020-09-09 14:18:22 UTC
Created attachment 1714291 [details]
Unable to import/run an image from other project

Comment 11 spathak@redhat.com 2020-09-09 14:20:27 UTC
Verified on Build version: 4.6.0-0.nightly-2020-09-09-062306
Browser version: Chrome 84


Note You need to log in before you can comment on or make changes to this bug.