Bug 1983091 - Logic for getting default pull secret incorrect on project page
Summary: Logic for getting default pull secret incorrect on project page
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Management Console
Version: 4.8
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
: 4.9.0
Assignee: Kim Dobestein
QA Contact: Yanping Zhang
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-07-16 13:44 UTC by Samuel Padgett
Modified: 2021-10-18 17:40 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: Application was not showing all the pull secrets from the default ServiceAccount. Consequence: Missing information on the project details screen and the user needed to go to the default ServiceAccount YAML to view all default pull secrets Fix: List all pull secrets from the default ServiceAccount on the project details page. Result:
Clone Of:
Environment:
Last Closed: 2021-10-18 17:39:54 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift console pull 9593 0 None open Bug 1983091: Logic for getting default pull secret incorrect on project page 2021-07-22 15:53:29 UTC
Red Hat Product Errata RHSA-2021:3759 0 None None None 2021-10-18 17:40:15 UTC

Description Samuel Padgett 2021-07-16 13:44:20 UTC 
The logic here looks wrong: https://github.com/openshift/console/blob/master/frontend/public/components/namespace.jsx#L843

We're only looking for kubernetes.io/dockerconfigjson and not kubernetes.io/dockercfg. But to use the image in a pod, you'd need to add it to the default service account. We should show the secrets referenced in the service account on this page.

https://docs.openshift.com/container-platform/4.7/openshift_images/managing_images/using-image-pull-secrets.html#images-allow-pods-to-reference-images-from-secure-registries_using-image-pull-secrets
Comment 6 Yanping Zhang 2021-07-30 10:45:12 UTC 
Checked on ocp 4.9 cluster with payload 4.9.0-0.nightly-2021-07-29-103526.
1.Create a project, check the default pull secret on project detail page, it displays "default-dockercfg-xczwx";
2.Create a image pull secret in the project, and add the secret in default sa in the project, then check default pull secret on the project detail page again, the new image pull secret is also shown.
3.Create a role "example1" with view project/namespace permission but no permission to view secret in project:
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: example1
  uid: 785f7296-20fd-4f1a-8105-30be19f92539
  resourceVersion: '470509'
  creationTimestamp: '2021-07-30T10:31:43Z'
  managedFields:
    - manager: Mozilla
      operation: Update
      apiVersion: rbac.authorization.k8s.io/v1
      time: '2021-07-30T10:31:43Z'
      fieldsType: FieldsV1
      fieldsV1:
        'f:rules': {}
rules:
  - verbs:
      - get
      - watch
      - list
    apiGroups:
      - ''
    resources:
      - projects
  - verbs:
      - get
    apiGroups:
      - ''
    resources:
      - namespaces
4. Grant normal user the "example1" role to the project.
5. Login with normal user, check on the project detail page, now the default pull secret field displays: "Error loading default pull Secrets"

The bug is fixed.
Comment 9 errata-xmlrpc 2021-10-18 17:39:54 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.9.0 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:3759
Note You need to log in before you can comment on or make changes to this bug.