Bug 1886888 - user with clusterrole full rights on deployments/scale cannot scale pod using the console
Summary: user with clusterrole full rights on deployments/scale cannot scale pod using...
Keywords:
Status: NEW
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Dev Console
Version: 4.5
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
: 4.9.0
Assignee: cvogt
QA Contact: Gajanan More
Rishu Mehra
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-10-09 16:19 UTC by German Parente
Modified: 2021-06-17 14:23 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Known Issue
Doc Text:
In {product-title} 4.5, a user with scale permissions cannot scale a deployment or deployment config using the console if they do not have edit rights to the deployment or deployment config. This will be resolved in a future release. (link:https://bugzilla.redhat.com/show_bug.cgi?id=1886888[BZ#1886888])
Clone Of:
Environment:
Last Closed:
Target Upstream Version:


Attachments (Terms of Use)

Description German Parente 2020-10-09 16:19:40 UTC
Description of problem:

- create a user.

- create a cluster role like this:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  creationTimestamp: "2020-10-09T15:13:20Z"
  managedFields:
  - apiVersion: rbac.authorization.k8s.io/v1
    fieldsType: FieldsV1
    fieldsV1:
      f:rules: {}
    manager: oc
    operation: Update
    time: "2020-10-09T15:37:44Z"
  name: scale
  resourceVersion: "60514"
  selfLink: /apis/rbac.authorization.k8s.io/v1/clusterroles/scale
  uid: 36bc20fe-c654-4431-8a9b-9b7db96a473a
rules:
- apiGroups:
  - apps
  - apps.openshift.io
  resources:
  - configmaps
  - deploymentconfigs/scale
  - deployments/scale
  - replicationcontrollers/scale
  verbs:
  - get
  - list
  - watch
  - create
  - update
  - patch
  - delete

- create a rolebinding like this:


apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  creationTimestamp: "2020-10-09T15:20:36Z"
  managedFields:
  - apiVersion: rbac.authorization.k8s.io/v1
    fieldsType: FieldsV1
    fieldsV1:
      f:roleRef:
        f:apiGroup: {}
        f:kind: {}
        f:name: {}
      f:subjects: {}
    manager: Mozilla
    operation: Update
    time: "2020-10-09T15:20:36Z"
  name: scalebinding
  resourceVersion: "55475"
  selfLink: /apis/rbac.authorization.k8s.io/v1/clusterrolebindings/scalebinding
  uid: 44e210a1-1b14-4f0c-961f-9414736d0eaf
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: scale
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: gparente

- login as user

- scale deployment:

oc -n test scale deployment.apps/ruby-ex --replicas=3
deployment.apps/ruby-ex scaled

- try to scale using the console does not work

- we have to add to the clusterrole the deployments resource but that gives full access on the resource.

So. the workaroud is to edit the cluster role and add:


  resources:
  ...
  - deployments
  ...



Version-Release number of selected component (if applicable): 4.5


How reproducible: always

Comment 1 Stephen Cuppett 2020-10-09 16:55:45 UTC
Setting target release to the active development branch (4.7.0). For any fixes, where required and requested, cloned BZs will be created for those release maintenance streams where appropriate once they are identified.

Comment 6 Andrew Ballantyne 2020-10-23 17:35:32 UTC
Jira ticket for planning purposes: https://issues.redhat.com/browse/ODC-5042

Comment 7 Andrew Ballantyne 2021-01-13 18:34:35 UTC
Pushing to 4.8 as we lack the bandwidth to address this in 4.7.

Comment 8 Rishu Mehra 2021-02-19 15:51:29 UTC
Updated the doc text filed.


Note You need to log in before you can comment on or make changes to this bug.