Bug 1886888 - user with clusterrole full rights on deployments/scale cannot scale pod using the console
Summary: user with clusterrole full rights on deployments/scale cannot scale pod using...
Keywords:
Status: CLOSED DUPLICATE of bug 1911307
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Dev Console
Version: 4.5
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: ---
Assignee: cvogt
QA Contact:
Rishu Mehra
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-10-09 16:19 UTC by German Parente
Modified: 2022-03-04 16:48 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: Known Issue
Doc Text:
In {product-title} 4.9, a user with scale permissions cannot scale a deployment or deployment config using the console if they do not have edit rights to the deployment or deployment config. This will be resolved in a future release. (link:https://bugzilla.redhat.com/show_bug.cgi?id=1886888[BZ#1886888])
Clone Of:
Environment:
Last Closed: 2022-03-04 16:30:51 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description German Parente 2020-10-09 16:19:40 UTC 
Description of problem:

- create a user.

- create a cluster role like this:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  creationTimestamp: "2020-10-09T15:13:20Z"
  managedFields:
  - apiVersion: rbac.authorization.k8s.io/v1
    fieldsType: FieldsV1
    fieldsV1:
      f:rules: {}
    manager: oc
    operation: Update
    time: "2020-10-09T15:37:44Z"
  name: scale
  resourceVersion: "60514"
  selfLink: /apis/rbac.authorization.k8s.io/v1/clusterroles/scale
  uid: 36bc20fe-c654-4431-8a9b-9b7db96a473a
rules:
- apiGroups:
  - apps
  - apps.openshift.io
  resources:
  - configmaps
  - deploymentconfigs/scale
  - deployments/scale
  - replicationcontrollers/scale
  verbs:
  - get
  - list
  - watch
  - create
  - update
  - patch
  - delete

- create a rolebinding like this:


apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  creationTimestamp: "2020-10-09T15:20:36Z"
  managedFields:
  - apiVersion: rbac.authorization.k8s.io/v1
    fieldsType: FieldsV1
    fieldsV1:
      f:roleRef:
        f:apiGroup: {}
        f:kind: {}
        f:name: {}
      f:subjects: {}
    manager: Mozilla
    operation: Update
    time: "2020-10-09T15:20:36Z"
  name: scalebinding
  resourceVersion: "55475"
  selfLink: /apis/rbac.authorization.k8s.io/v1/clusterrolebindings/scalebinding
  uid: 44e210a1-1b14-4f0c-961f-9414736d0eaf
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: scale
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: gparente

- login as user

- scale deployment:

oc -n test scale deployment.apps/ruby-ex --replicas=3
deployment.apps/ruby-ex scaled

- try to scale using the console does not work

- we have to add to the clusterrole the deployments resource but that gives full access on the resource.

So. the workaroud is to edit the cluster role and add:


  resources:
  ...
  - deployments
  ...



Version-Release number of selected component (if applicable): 4.5


How reproducible: always
Comment 1 Stephen Cuppett 2020-10-09 16:55:45 UTC 
Setting target release to the active development branch (4.7.0). For any fixes, where required and requested, cloned BZs will be created for those release maintenance streams where appropriate once they are identified.
Comment 6 Andrew Ballantyne 2020-10-23 17:35:32 UTC 
Jira ticket for planning purposes: https://issues.redhat.com/browse/ODC-5042
Comment 7 Andrew Ballantyne 2021-01-13 18:34:35 UTC 
Pushing to 4.8 as we lack the bandwidth to address this in 4.7.
Comment 8 Rishu Mehra 2021-02-19 15:51:29 UTC 
Updated the doc text filed.
Note You need to log in before you can comment on or make changes to this bug.