Description of problem: A recent fix to the CBO gave CBO the permission to list and get pods in every namespace. CBO only needs to do that for Pods within the openshift-machine-api namespace. Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: CBO can list, get and watch Pods only in the openshift-machine-api namespace. Additional info:
@sdasu Hey, How can I reproduce/verify this BZ
@sdasu I used the following process to verify that cluster-baremetal-operator serviceaccount cannot see pods form namespaces other than openshift-machine-api: oc describe sa cluster-baremetal-operator -n openshift-machine-api oc describe secrets cluster-baremetal-operator-token-dxwtx -n openshift-machine-api oc login --token=eyJhbGciOiJSU..... oc get pods Error from server (Forbidden): pods is forbidden: User "system:serviceaccount:openshift-machine-api:cluster-baremetal-operator" cannot list resource "pods" in API group "" in the namespace "default" oc get pods -n openshift-machine-api NAME READY STATUS RESTARTS AGE cluster-autoscaler-operator-6fb8fc5cbb-sbd4d 2/2 Running 1 (3d20h ago) 3d20h cluster-baremetal-operator-5d58dbc94c-jfflr 2/2 Running 2 (3d20h ago) 3d20h machine-api-controllers-54b8ff44c8-jwtqx 7/7 Running 0 3d20h machine-api-operator-57648b678d-frrfq 2/2 Running 1 (3d20h ago) 3d20h metal3-6db6ff88df-2klvh 7/7 Running 0 3d20h metal3-image-cache-4kvp6 1/1 Running 0 3d20h metal3-image-cache-fspq9 1/1 Running 0 3d20h metal3-image-cache-gj9mr 1/1 Running 0 3d20h metal3-image-customization-6745d749b8-vdgsm please confirm
Verified with 4.10.0-0.nightly-2022-01-11-065245 release using above steps
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:0056
(In reply to Jad Haj Yahya from comment #4) > @sdasu > > I used the following process to verify that cluster-baremetal-operator > serviceaccount cannot see pods form namespaces other than > openshift-machine-api: > > > oc describe sa cluster-baremetal-operator -n openshift-machine-api > oc describe secrets cluster-baremetal-operator-token-dxwtx -n > openshift-machine-api > oc login --token=eyJhbGciOiJSU..... > > oc get pods > Error from server (Forbidden): pods is forbidden: User > "system:serviceaccount:openshift-machine-api:cluster-baremetal-operator" > cannot list resource "pods" in API group "" in the namespace "default" > > oc get pods -n openshift-machine-api > NAME READY STATUS RESTARTS > AGE > cluster-autoscaler-operator-6fb8fc5cbb-sbd4d 2/2 Running 1 (3d20h > ago) 3d20h > cluster-baremetal-operator-5d58dbc94c-jfflr 2/2 Running 2 (3d20h > ago) 3d20h > machine-api-controllers-54b8ff44c8-jwtqx 7/7 Running 0 > 3d20h > machine-api-operator-57648b678d-frrfq 2/2 Running 1 (3d20h > ago) 3d20h > metal3-6db6ff88df-2klvh 7/7 Running 0 > 3d20h > metal3-image-cache-4kvp6 1/1 Running 0 > 3d20h > metal3-image-cache-fspq9 1/1 Running 0 > 3d20h > metal3-image-cache-gj9mr 1/1 Running 0 > 3d20h > metal3-image-customization-6745d749b8-vdgsm > > > please confirm Yes, that is correct.