Currently we show cluster upgrades to anyone who can get the ClusterVersion resource. We don't check if the user is able to actually able to edit the ClusterVersion to start an upgrade. We should avoid showing the notification to users who can't act on it.
For users who are unable to patch the ClusterVersion resource, we should
1. Hide the upgrade notification in the notification drawer, home -> status page, and about dialog
2. Remove the edit channel and start upgrade buttons from the cluster settings page
Created attachment 1702608 [details]
Checked by cluster-reader user, just as attached screenshot, RBAC works now.
Verified on 4.6.0-0.nightly-2020-07-25-091217
Created attachment 1714197 [details]
user without RBAC could not see the clusterversion by url which is hidden from menu
Created attachment 1714198 [details]
Created attachment 1714199 [details]
user has edit permission could see the Edit button
The user has only cluster-reader RBAC and visit Cluster Settings page and see the clusterversion, but could not see the Edit button. This was Verified as comment 4.
The user has no cluster-reader RBAC could not see the menus and will get Restricted Access error message if visit directly by url. Attached the screenshot for compare.
The user has RBAC of ClusterVersion edit permission could see the Edit button on Cluster Versions page. Also attached the screenshot for compare.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory (OpenShift Container Platform 4.6 GA Images), and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.