Bug 1894020 - User with edit users cannot deploy images from their own namespace from the developer perspective
Summary: User with edit users cannot deploy images from their own namespace from the d...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Dev Console
Version: 4.5
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
: 4.7.0
Assignee: Karthik Jeeyar
QA Contact: Gajanan More
Harsh Mishra
URL:
Whiteboard:
Depends On:
Blocks: 1933727
TreeView+ depends on / blocked
 
Reported: 2020-11-03 11:03 UTC by Catherine_H
Modified: 2021-03-31 07:06 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Previously, the user was denied access to pull images from other projects, due to insufficient user permissions. This bug fix removes all the user interface checks for role bindings and shows the `oc` command alert to help users use the command line. With this bug fix, the user is no longer blocked from creating images from different namespaces and is now able to deploy images from their other projects.
Clone Of:
: 1933727 (view as bug list)
Environment:
Last Closed: 2021-02-24 15:29:22 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift console pull 7727 0 None closed Bug 1894020: fix Internal registry deploy flow 2021-02-15 16:27:13 UTC
Red Hat Product Errata RHSA-2020:5633 0 None None None 2021-02-24 15:29:45 UTC

Description Catherine_H 2020-11-03 11:03:16 UTC
Description of problem:
Users with edit right are unable to deploy images from their own namespace in the UI but they can do it using the CLI.


Version-Release number of selected component (if applicable):
4.5.15
4.4.16

How reproducible:
Always

Steps to Reproduce:
1. Create a user with edit right
2. Log in console and open the developer perspective
3. Click on "+ Add" and then choose "Container Image"
4. Choose "Image name from internal registry" and expand the dropdown

Actual results:

Error Message:
Warning alert:Permission denied
Service account default does not have authority to pull images from deploy-image. Select another project to continue.

Expected results:

No errors and should be able to deploy normally as command line.

Additional info:

Command line output:

# oc get rolebinding
NAME                    ROLE                               AGE
edit                    ClusterRole/edit                   21m
system:deployers        ClusterRole/system:deployer        52m
system:image-builders   ClusterRole/system:image-builder   52m
system:image-pullers    ClusterRole/system:image-puller    52m

# oc get istag
NAME       IMAGE REFERENCE                                                                                                  UPDATED
ruby:2.6   registry.redhat.io/rhscl/ruby-26-rhel7@sha256:4da4d3ce3bf718a0f0965300b6dd914c2e698b7202f5af4fafde21e6be6b06fd   26 seconds ago

# oc get is
NAME       IMAGE REPOSITORY   TAGS   UPDATED
registry                      2      
ruby                          2.6    28 seconds ago

oc get --raw /apis/image.openshift.io/v1/namespaces/deploy-image/imagestreams
{"kind":"ImageStreamList","apiVersion":"image.openshift.io/v1","metadata":{"selfLink":"/apis/image.openshift.io/v1/namespaces/deploy-image/imagestreams","resourceVersion":"9136644"},"items":[{"metadata":{"name":"registry","namespace":"deploy-image","selfLink":"/apis/image.openshift.io/v1/namespaces/deploy-image/imagestreams/registry","uid":"519cfbae-27cf-4e17-bd9a-0999cfea6131","resourceVersion":"9134968","generation":3,"creationTimestamp":"2020-11-03T10:18:25Z","annotations":{"openshift.io/image.dockerRepositoryCheck":"2020-11-03T10:20:42Z"}},"spec":{"lookupPolicy":{"local":false},"tags":[{"name":"2","annotations":null,"from":{"kind":"DockerImage","name":"docker.io/library/registry:2"},"generation":3,"importPolicy":{},"referencePolicy":{"type":"Source"}}]},"status":{"dockerImageRepository":"","tags":[{"tag":"2","items":null,"conditions":[{"type":"ImportSuccess","status":"False","lastTransitionTime":"2020-11-03T10:20:42Z","reason":"InternalError","message":"Internal error occurred: docker.io/library/registry:2: Get https://production.cloudflare.docker.com/registry-v2/docker/registry/v2/blobs/sha256/2d/2d4f4b5309b1e41b4f83ae59b44df6d673ef44433c734b14c1c103ebca82c116/data?verify=1604402734-4hsrV327A2AP616jdeiGvZTf8bA%3D: net/http: TLS handshake timeout","generation":3}]}]}},{"metadata":{"name":"ruby","namespace":"deploy-image","selfLink":"/apis/image.openshift.io/v1/namespaces/deploy-image/imagestreams/ruby","uid":"11bb36f3-5379-4729-a729-b757fe71fa6d","resourceVersion":"9136451","generation":2,"creationTimestamp":"2020-11-03T10:24:59Z","annotations":{"openshift.io/image.dockerRepositoryCheck":"2020-11-03T10:25:01Z"}},"spec":{"lookupPolicy":{"local":false},"tags":[{"name":"2.6","annotations":{"description":"Build and run Ruby 2.6 applications on RHEL 7. For more information about using this builder image, including OpenShift considerations, see https://github.com/sclorg/s2i-ruby-container/blob/master/2.6/README.md.","iconClass":"icon-ruby","openshift.io/display-name":"Ruby 2.6","openshift.io/provider-display-name":"Red Hat, Inc.","sampleRepo":"https://github.com/sclorg/ruby-ex.git","supports":"ruby:2.6,ruby","tags":"builder,ruby","version":"2.6"},"from":{"kind":"DockerImage","name":"registry.redhat.io/rhscl/ruby-26-rhel7:latest"},"generation":2,"importPolicy":{},"referencePolicy":{"type":"Local"}}]},"status":{"dockerImageRepository":"","tags":[{"tag":"2.6","items":[{"created":"2020-11-03T10:25:01Z","dockerImageReference":"registry.redhat.io/rhscl/ruby-26-rhel7@sha256:4da4d3ce3bf718a0f0965300b6dd914c2e698b7202f5af4fafde21e6be6b06fd","image":"sha256:4da4d3ce3bf718a0f0965300b6dd914c2e698b7202f5af4fafde21e6be6b06fd","generation":2}]}]}}]}

Comment 4 Vikram Raj 2021-01-13 17:11:36 UTC
Verified. 
Tested on cluster- 4.7.0-0.ci.test-2021-01-13-142130-ci-ln-rj5gpwk

Comment 7 errata-xmlrpc 2021-02-24 15:29:22 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.7.0 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:5633


Note You need to log in before you can comment on or make changes to this bug.