Uploaded image for project: 'OpenShift Builds'
  1. OpenShift Builds
  2. BUILD-1171

[builds-1.2] Shared Resources: Cluster Admin Must Create Globally Cluster-Scoped Permissions

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Critical Critical
    • builds-1.2
    • builds-1.1
    • shared-resources
    • None
    • 1
    • False
    • None
    • False
    • Hide
      Before this update, the Shared Resource CSI driver could not mount SharedSecret and SharedConfigMaps due to missing OpenShift RBAC permissions. This update fixes the issue by granting these global permissions to the CSI driver. Now, the Shared Resource CSI Driver should be able to access SharedSecret and SharedConfigMaps and perform necessary permission checks without additional action from cluster administrators.

      Show
      Before this update, the Shared Resource CSI driver could not mount SharedSecret and SharedConfigMaps due to missing OpenShift RBAC permissions. This update fixes the issue by granting these global permissions to the CSI driver. Now, the Shared Resource CSI Driver should be able to access SharedSecret and SharedConfigMaps and perform necessary permission checks without additional action from cluster administrators.
    • Bug Fix
    • Builds Sprint #17
    • Approved

      Description of problem:

      When the Shared Resource CSI driver is deployed by Builds for OpenShift, the cluster admin must grant the CSI driver additional RBAC permissions that are globally cluster-scoped. This is something the operator should take care of.

      Workaround: Admin grants the following RBAC to the Shared Resource CSI Driver:

      • "create" SubjectAccessReviews
      • "get", "list", and "watch" SharedSecret and SharedConfigMap objects

      Prerequisites (if any, like setup, operators/versions):

      Builds for OpenShift 1.1.0

      Steps to Reproduce

      1. Deploy Operator
      2. Follow the procedure to share a Secret or ConfigMap in a pod as outlined in the OCP 4.16 docs: link

       

      Actual results:

      Pod is not created because the CSI driver cannot find the referenced SharedSecret or SharedConfigMap

      Expected results:

      Pod is not created because the CSI driver can't access the underlying Secret or ConfigMap. This is the new behavior we want to introduce as part of GA-ing the CSI driver.

      Reproducibility (Always/Intermittent/Only Once):

      Always

      Acceptance criteria: 

      • Cluster admins do not need to grant the CSI driver permission to create subject access reviews
      • Cluster admins do not need to grant the CSI driver permission to get, list, or watch SharedSecret and SharedConfigMap objects

      Definition of Done:

      Build Details:

      Additional info (Such as Logs, Screenshots, etc):

              adkaplan@redhat.com Adam Kaplan
              adkaplan@redhat.com Adam Kaplan
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: