Bug 2022745 - Cluster reader is not able to list NodeNetwork* objects
Summary: Cluster reader is not able to list NodeNetwork* objects
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking
Version: 4.10
Hardware: Unspecified
OS: Unspecified
high
medium
Target Milestone: ---
: 4.11.0
Assignee: Christoph Stäbler
QA Contact: Aleksandra Malykhin
URL:
Whiteboard:
: 2057474 2060269 (view as bug list)
Depends On:
Blocks: 2087091
TreeView+ depends on / blocked
 
Reported: 2021-11-12 13:50 UTC by Petr Horáček
Modified: 2022-08-10 10:40 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: Users with role "cluster-reader" could not read custom resources from kubernetes-nmstate (e.g. NodeNetworkConfigurationPolicy). Consequence: Users of this role could not check status. Fix: Permissions to read kubernetes-nmstate resources have been added to cluster-reader role. Result: Users with "cluster-reader" role can read kubernetes-nmstate custom resources.
Clone Of:
: 2087091 (view as bug list)
Environment:
Last Closed: 2022-08-10 10:39:46 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github nmstate kubernetes-nmstate pull 1052 0 None Merged rbac: Add missing cluster-reader verbs 2022-05-29 08:11:18 UTC
Github openshift kubernetes-nmstate pull 272 0 None Merged Rebase to kubernetes-nmstate v0.71.0 2022-05-29 08:11:22 UTC
Red Hat Product Errata RHSA-2022:5069 0 None None None 2022-08-10 10:40:12 UTC

Description Petr Horáček 2021-11-12 13:50:25 UTC 
Description of problem:
As a used with cluster-reader role I should be able to read resources connected with cluster's network configuration. In this case, I want access to NodeNetworkConfigurationPolicy, NodeNetworkConfigurationEnactment and NodeNetworkState. This is however not possible today.


Version-Release number of selected component (if applicable):
OpenShift 4.8, 4.9


How reproducible:
Always


Steps to Reproduce:
1. Bind an unprivileged user with cluster-reader role
2. Log in as such user
3. List NNS (oc get nns)

Actual results:
The list fails due to the lack of privileges.


Expected results:
The user should be able to list and read these resources, just as nnce and nncp.


Additional info:
This can be accomplished through aggregated roles. Similar to this role used for NAD:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: net-attach-def-project
  labels:
    rbac.authorization.k8s.io/aggregate-to-admin: "true"
rules:
- apiGroups: ["k8s.cni.cncf.io"]
  resources: ["network-attachment-definitions"]
  verbs: ["watch", "list"]

This must be deployed only if the target role is available.
Comment 1 Ruth Netser 2022-03-03 13:09:47 UTC 
*** Bug 2060269 has been marked as a duplicate of this bug. ***
Comment 2 Petr Horáček 2022-05-03 13:47:54 UTC 
The issue was fixed U/S. Moving to the standalone knmstate component for verification.
Comment 3 Petr Horáček 2022-05-04 07:59:50 UTC 
*** Bug 2057474 has been marked as a duplicate of this bug. ***
Comment 6 Aleksandra Malykhin 2022-05-30 05:54:19 UTC 
Verified with Kubernetes NMState Operator   4.11.0-202205250927   

Steps to Reproduce:
1. Bind an unprivileged user with cluster-reader role
2. Log in as such user
3. List NNS (oc get nns)

[test@provisionhost-0-0 ~]$ oc get nns
NAME         AGE
master-0-0   3m42s
master-0-1   3m42s
master-0-2   3m42s
worker-0-0   3m43s
worker-0-1   3m43s
[test@provisionhost-0-0 ~]$ oc get nncp
NAME       STATUS      REASON
createif   Available   SuccessfullyConfigured
Comment 8 errata-xmlrpc 2022-08-10 10:39:46 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: OpenShift Container Platform 4.11.0 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:5069
Note You need to log in before you can comment on or make changes to this bug.