Bug 2065577 - user with user-workload-monitoring-config-edit role can not create user-workload-monitoring-config configmap
Summary: user with user-workload-monitoring-config-edit role can not create user-workl...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Monitoring
Version: 4.10
Hardware: Unspecified
OS: Unspecified
medium
low
Target Milestone: ---
: 4.11.0
Assignee: Joao Marcal
QA Contact: Junqi Zhao
Brian Burt
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-03-18 08:59 UTC by Junqi Zhao
Modified: 2022-08-10 10:55 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Before this update, when user-workload-monitoring was enabled the user-workload-monitoring-config configmap would not be created by default this caused a user with user-workload-monitoring-config-edit role to not be able to configure UWM or create it. With this update, the configmap user-workload-monitoring-config is now created by default which resolves the issue.
Clone Of:
Environment:
Last Closed: 2022-08-10 10:54:40 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift cluster-monitoring-operator pull 1603 0 None Merged Bug 2065577: CMO now creates by default an empty CM for UWM 2022-08-01 21:10:58 UTC
Red Hat Product Errata RHSA-2022:5069 0 None None None 2022-08-10 10:55:14 UTC

Description Junqi Zhao 2022-03-18 08:59:23 UTC 
Description of problem:
issue is found when review doc:
https://github.com/openshift/openshift-docs/pull/43449/

enabled UWM and grant user-workload-monitoring-config-edit role to user testuser-11, no user-workload-monitoring-config configmap exist
# oc -n openshift-user-workload-monitoring get cm user-workload-monitoring-config
Error from server (NotFound): configmaps "user-workload-monitoring-config" not found

# oc -n openshift-user-workload-monitoring adm policy add-role-to-user user-workload-monitoring-config-edit testuser-11 --role-namespace openshift-user-workload-monitoring

# oc -n openshift-user-workload-monitoring get rolebinding user-workload-monitoring-config-edit -oyaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  creationTimestamp: "2022-03-18T07:51:54Z"
  name: user-workload-monitoring-config-edit
  namespace: openshift-user-workload-monitoring
  resourceVersion: "231116"
  uid: 3b0d0b86-b353-4558-a953-0ee7c0f47e99
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: user-workload-monitoring-config-edit
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: testuser-11

oc login with testuser-11, and create user-workload-monitoring-config configmap, don't have permission
********************************
# oc create -f - << EOF
apiVersion: v1
kind: ConfigMap
metadata:
  name: user-workload-monitoring-config
  namespace: openshift-user-workload-monitoring
data:
  config.yaml: |
    prometheus:
      queryLogFile: /tmp/test-uwm.log
EOF
********************************
Error from server (Forbidden): error when creating "STDIN": configmaps is forbidden: User "testuser-11" cannot create resource "configmaps" in API group "" in the namespace "openshift-user-workload-monitoring"

If the user-workload-monitoring-config configmap is exist, user-workload-monitoring-config-edit user can edit the user-workload-monitoring-config configmap.

Version-Release number of selected component (if applicable):
4.10.0-0.nightly-2022-03-17-204457

How reproducible:
always

Steps to Reproduce:
1. see the description
2.
3.

Actual results:
user with user-workload-monitoring-config-edit role can not create user-workload-monitoring-config configmap

Expected results:


Additional info:
Comment 1 Junqi Zhao 2022-03-18 09:05:09 UTC 
# oc -n openshift-user-workload-monitoring get role user-workload-monitoring-config-edit -oyaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  creationTimestamp: "2022-03-17T23:19:13Z"
  name: user-workload-monitoring-config-edit
  namespace: openshift-user-workload-monitoring
  resourceVersion: "8704"
  uid: 6455ea58-4ffb-43d2-ac34-5ac2bbbc43dd
rules:
- apiGroups:
  - ""
  resourceNames:
  - user-workload-monitoring-config
  resources:
  - configmaps
  verbs:
  - '*'
Comment 2 Simon Pasquier 2022-03-18 09:25:23 UTC 
It makes senses since the create operation can't target a specific resource.
One option would be for CMO to create an empty user-workload-monitoring-config-edit configmap if none exists. We can also scope down the "user-workload-monitoring-config" role to allow only "patch", "get", "list", watch" and "update" verbs.
Comment 10 errata-xmlrpc 2022-08-10 10:54:40 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: OpenShift Container Platform 4.11.0 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:5069
Note You need to log in before you can comment on or make changes to this bug.