Description of problem: As a used with cluster-reader role I should be able to read resources connected with cluster's network configuration. In this case, I want access to NodeNetworkConfigurationPolicy, NodeNetworkConfigurationEnactment and NodeNetworkState. This is however not possible today. Version-Release number of selected component (if applicable): OpenShift 4.8, 4.9 How reproducible: Always Steps to Reproduce: 1. Bind an unprivileged user with cluster-reader role 2. Log in as such user 3. List NNS (oc get nns) Actual results: The list fails due to the lack of privileges. Expected results: The user should be able to list and read these resources, just as nnce and nncp. Additional info: This can be accomplished through aggregated roles. Similar to this role used for NAD: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: net-attach-def-project labels: rbac.authorization.k8s.io/aggregate-to-admin: "true" rules: - apiGroups: ["k8s.cni.cncf.io"] resources: ["network-attachment-definitions"] verbs: ["watch", "list"] This must be deployed only if the target role is available.
*** Bug 2060269 has been marked as a duplicate of this bug. ***
The issue was fixed U/S. Moving to the standalone knmstate component for verification.
*** Bug 2057474 has been marked as a duplicate of this bug. ***
Verified with Kubernetes NMState Operator 4.11.0-202205250927 Steps to Reproduce: 1. Bind an unprivileged user with cluster-reader role 2. Log in as such user 3. List NNS (oc get nns) [test@provisionhost-0-0 ~]$ oc get nns NAME AGE master-0-0 3m42s master-0-1 3m42s master-0-2 3m42s worker-0-0 3m43s worker-0-1 3m43s [test@provisionhost-0-0 ~]$ oc get nncp NAME STATUS REASON createif Available SuccessfullyConfigured
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Important: OpenShift Container Platform 4.11.0 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:5069