Description of problem: Users with edit right are unable to deploy images from their own namespace in the UI but they can do it using the CLI. Version-Release number of selected component (if applicable): 4.5.15 4.4.16 How reproducible: Always Steps to Reproduce: 1. Create a user with edit right 2. Log in console and open the developer perspective 3. Click on "+ Add" and then choose "Container Image" 4. Choose "Image name from internal registry" and expand the dropdown Actual results: Error Message: Warning alert:Permission denied Service account default does not have authority to pull images from deploy-image. Select another project to continue. Expected results: No errors and should be able to deploy normally as command line. Additional info: Command line output: # oc get rolebinding NAME ROLE AGE edit ClusterRole/edit 21m system:deployers ClusterRole/system:deployer 52m system:image-builders ClusterRole/system:image-builder 52m system:image-pullers ClusterRole/system:image-puller 52m # oc get istag NAME IMAGE REFERENCE UPDATED ruby:2.6 registry.redhat.io/rhscl/ruby-26-rhel7@sha256:4da4d3ce3bf718a0f0965300b6dd914c2e698b7202f5af4fafde21e6be6b06fd 26 seconds ago # oc get is NAME IMAGE REPOSITORY TAGS UPDATED registry 2 ruby 2.6 28 seconds ago oc get --raw /apis/image.openshift.io/v1/namespaces/deploy-image/imagestreams {"kind":"ImageStreamList","apiVersion":"image.openshift.io/v1","metadata":{"selfLink":"/apis/image.openshift.io/v1/namespaces/deploy-image/imagestreams","resourceVersion":"9136644"},"items":[{"metadata":{"name":"registry","namespace":"deploy-image","selfLink":"/apis/image.openshift.io/v1/namespaces/deploy-image/imagestreams/registry","uid":"519cfbae-27cf-4e17-bd9a-0999cfea6131","resourceVersion":"9134968","generation":3,"creationTimestamp":"2020-11-03T10:18:25Z","annotations":{"openshift.io/image.dockerRepositoryCheck":"2020-11-03T10:20:42Z"}},"spec":{"lookupPolicy":{"local":false},"tags":[{"name":"2","annotations":null,"from":{"kind":"DockerImage","name":"docker.io/library/registry:2"},"generation":3,"importPolicy":{},"referencePolicy":{"type":"Source"}}]},"status":{"dockerImageRepository":"","tags":[{"tag":"2","items":null,"conditions":[{"type":"ImportSuccess","status":"False","lastTransitionTime":"2020-11-03T10:20:42Z","reason":"InternalError","message":"Internal error occurred: docker.io/library/registry:2: Get https://production.cloudflare.docker.com/registry-v2/docker/registry/v2/blobs/sha256/2d/2d4f4b5309b1e41b4f83ae59b44df6d673ef44433c734b14c1c103ebca82c116/data?verify=1604402734-4hsrV327A2AP616jdeiGvZTf8bA%3D: net/http: TLS handshake timeout","generation":3}]}]}},{"metadata":{"name":"ruby","namespace":"deploy-image","selfLink":"/apis/image.openshift.io/v1/namespaces/deploy-image/imagestreams/ruby","uid":"11bb36f3-5379-4729-a729-b757fe71fa6d","resourceVersion":"9136451","generation":2,"creationTimestamp":"2020-11-03T10:24:59Z","annotations":{"openshift.io/image.dockerRepositoryCheck":"2020-11-03T10:25:01Z"}},"spec":{"lookupPolicy":{"local":false},"tags":[{"name":"2.6","annotations":{"description":"Build and run Ruby 2.6 applications on RHEL 7. For more information about using this builder image, including OpenShift considerations, see https://github.com/sclorg/s2i-ruby-container/blob/master/2.6/README.md.","iconClass":"icon-ruby","openshift.io/display-name":"Ruby 2.6","openshift.io/provider-display-name":"Red Hat, Inc.","sampleRepo":"https://github.com/sclorg/ruby-ex.git","supports":"ruby:2.6,ruby","tags":"builder,ruby","version":"2.6"},"from":{"kind":"DockerImage","name":"registry.redhat.io/rhscl/ruby-26-rhel7:latest"},"generation":2,"importPolicy":{},"referencePolicy":{"type":"Local"}}]},"status":{"dockerImageRepository":"","tags":[{"tag":"2.6","items":[{"created":"2020-11-03T10:25:01Z","dockerImageReference":"registry.redhat.io/rhscl/ruby-26-rhel7@sha256:4da4d3ce3bf718a0f0965300b6dd914c2e698b7202f5af4fafde21e6be6b06fd","image":"sha256:4da4d3ce3bf718a0f0965300b6dd914c2e698b7202f5af4fafde21e6be6b06fd","generation":2}]}]}}]}
Verified. Tested on cluster- 4.7.0-0.ci.test-2021-01-13-142130-ci-ln-rj5gpwk
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.7.0 security, bug fix, and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2020:5633