Uploaded image for project: 'OpenShift Virtualization'
  1. OpenShift Virtualization
  2. CNV-30342

[2217956] volumeclonesources.cdi.kubevirt.io, volumeimportsources.cdi.kubevirt.io and volumeuploadsources.cdi.kubevirt.io are not part of system:cluster-readers

XMLWordPrintable

    • No

      Description of problem: The following crds are missing system:cluster-readers role:
      volumeclonesources.cdi.kubevirt.io
      volumeimportsources.cdi.kubevirt.io
      volumeuploadsources.cdi.kubevirt.io

      Version-Release number of selected component (if applicable):
      4.14.0

      How reproducible:
      100%

      Steps to Reproduce:
      1. oc adm policy who-can get <crd_name>
      2.
      3.

      Actual results:

      [cloud-user@ocp-ipi-executor-xl ~]$ oc adm policy who-can get volumeuploadsources.cdi.kubevirt.io
      resourceaccessreviewresponse.authorization.openshift.io/<unknown>

      Namespace: default
      Verb: get
      Resource: volumeuploadsources.cdi.kubevirt.io

      Users: system:admin
      system:serviceaccount:kube-system:generic-garbage-collector
      system:serviceaccount:kube-system:namespace-controller
      system:serviceaccount:openshift-apiserver-operator:openshift-apiserver-operator
      system:serviceaccount:openshift-apiserver:openshift-apiserver-sa
      system:serviceaccount:openshift-authentication-operator:authentication-operator
      system:serviceaccount:openshift-authentication:oauth-openshift
      system:serviceaccount:openshift-cluster-storage-operator:cluster-storage-operator
      system:serviceaccount:openshift-cluster-version:default
      system:serviceaccount:openshift-cnv:cdi-operator
      system:serviceaccount:openshift-cnv:cdi-sa
      system:serviceaccount:openshift-cnv:kubevirt-controller
      system:serviceaccount:openshift-cnv:kubevirt-operator
      system:serviceaccount:openshift-config-operator:openshift-config-operator
      system:serviceaccount:openshift-controller-manager-operator:openshift-controller-manager-operator
      system:serviceaccount:openshift-controller-manager:openshift-controller-manager-sa
      system:serviceaccount:openshift-etcd-operator:etcd-operator
      system:serviceaccount:openshift-etcd:installer-sa
      system:serviceaccount:openshift-kube-apiserver-operator:kube-apiserver-operator
      system:serviceaccount:openshift-kube-apiserver:installer-sa
      system:serviceaccount:openshift-kube-apiserver:localhost-recovery-client
      system:serviceaccount:openshift-kube-controller-manager-operator:kube-controller-manager-operator
      system:serviceaccount:openshift-kube-controller-manager:installer-sa
      system:serviceaccount:openshift-kube-controller-manager:localhost-recovery-client
      system:serviceaccount:openshift-kube-scheduler-operator:openshift-kube-scheduler-operator
      system:serviceaccount:openshift-kube-scheduler:installer-sa
      system:serviceaccount:openshift-kube-scheduler:localhost-recovery-client
      system:serviceaccount:openshift-kube-storage-version-migrator-operator:kube-storage-version-migrator-operator
      system:serviceaccount:openshift-kube-storage-version-migrator:kube-storage-version-migrator-sa
      system:serviceaccount:openshift-machine-config-operator:default
      system:serviceaccount:openshift-network-operator:default
      system:serviceaccount:openshift-oauth-apiserver:oauth-apiserver-sa
      system:serviceaccount:openshift-operator-lifecycle-manager:olm-operator-serviceaccount
      system:serviceaccount:openshift-service-ca-operator:service-ca-operator
      system:serviceaccount:recycle-pvs:recycle-pvs-sa
      Groups: system:cluster-admins
      system:masters

      [cloud-user@ocp-ipi-executor-xl ~]$
      [cloud-user@ocp-ipi-executor-xl ~]$ oc adm policy who-can get volumeimportsources.cdi.kubevirt.io
      resourceaccessreviewresponse.authorization.openshift.io/<unknown>

      Namespace: default
      Verb: get
      Resource: volumeimportsources.cdi.kubevirt.io

      Users: system:admin
      system:serviceaccount:kube-system:generic-garbage-collector
      system:serviceaccount:kube-system:namespace-controller
      system:serviceaccount:openshift-apiserver-operator:openshift-apiserver-operator
      system:serviceaccount:openshift-apiserver:openshift-apiserver-sa
      system:serviceaccount:openshift-authentication-operator:authentication-operator
      system:serviceaccount:openshift-authentication:oauth-openshift
      system:serviceaccount:openshift-cluster-storage-operator:cluster-storage-operator
      system:serviceaccount:openshift-cluster-version:default
      system:serviceaccount:openshift-cnv:cdi-operator
      system:serviceaccount:openshift-cnv:cdi-sa
      system:serviceaccount:openshift-cnv:kubevirt-controller
      system:serviceaccount:openshift-cnv:kubevirt-operator
      system:serviceaccount:openshift-config-operator:openshift-config-operator
      system:serviceaccount:openshift-controller-manager-operator:openshift-controller-manager-operator
      system:serviceaccount:openshift-controller-manager:openshift-controller-manager-sa
      system:serviceaccount:openshift-etcd-operator:etcd-operator
      system:serviceaccount:openshift-etcd:installer-sa
      system:serviceaccount:openshift-kube-apiserver-operator:kube-apiserver-operator
      system:serviceaccount:openshift-kube-apiserver:installer-sa
      system:serviceaccount:openshift-kube-apiserver:localhost-recovery-client
      system:serviceaccount:openshift-kube-controller-manager-operator:kube-controller-manager-operator
      system:serviceaccount:openshift-kube-controller-manager:installer-sa
      system:serviceaccount:openshift-kube-controller-manager:localhost-recovery-client
      system:serviceaccount:openshift-kube-scheduler-operator:openshift-kube-scheduler-operator
      system:serviceaccount:openshift-kube-scheduler:installer-sa
      system:serviceaccount:openshift-kube-scheduler:localhost-recovery-client
      system:serviceaccount:openshift-kube-storage-version-migrator-operator:kube-storage-version-migrator-operator
      system:serviceaccount:openshift-kube-storage-version-migrator:kube-storage-version-migrator-sa
      system:serviceaccount:openshift-machine-config-operator:default
      system:serviceaccount:openshift-network-operator:default
      system:serviceaccount:openshift-oauth-apiserver:oauth-apiserver-sa
      system:serviceaccount:openshift-operator-lifecycle-manager:olm-operator-serviceaccount
      system:serviceaccount:openshift-service-ca-operator:service-ca-operator
      system:serviceaccount:recycle-pvs:recycle-pvs-sa
      Groups: system:cluster-admins
      system:masters

      [cloud-user@ocp-ipi-executor-xl ~]$

      [cloud-user@ocp-ipi-executor-xl ~]$ oc adm policy who-can get volumeclonesources.cdi.kubevirt.io
      resourceaccessreviewresponse.authorization.openshift.io/<unknown>

      Namespace: default
      Verb: get
      Resource: volumeclonesources.cdi.kubevirt.io

      Users: system:admin
      system:serviceaccount:kube-system:generic-garbage-collector
      system:serviceaccount:kube-system:namespace-controller
      system:serviceaccount:openshift-apiserver-operator:openshift-apiserver-operator
      system:serviceaccount:openshift-apiserver:openshift-apiserver-sa
      system:serviceaccount:openshift-authentication-operator:authentication-operator
      system:serviceaccount:openshift-authentication:oauth-openshift
      system:serviceaccount:openshift-cluster-storage-operator:cluster-storage-operator
      system:serviceaccount:openshift-cluster-version:default
      system:serviceaccount:openshift-cnv:cdi-operator
      system:serviceaccount:openshift-cnv:cdi-sa
      system:serviceaccount:openshift-cnv:kubevirt-controller
      system:serviceaccount:openshift-cnv:kubevirt-operator
      system:serviceaccount:openshift-config-operator:openshift-config-operator
      system:serviceaccount:openshift-controller-manager-operator:openshift-controller-manager-operator
      system:serviceaccount:openshift-controller-manager:openshift-controller-manager-sa
      system:serviceaccount:openshift-etcd-operator:etcd-operator
      system:serviceaccount:openshift-etcd:installer-sa
      system:serviceaccount:openshift-kube-apiserver-operator:kube-apiserver-operator
      system:serviceaccount:openshift-kube-apiserver:installer-sa
      system:serviceaccount:openshift-kube-apiserver:localhost-recovery-client
      system:serviceaccount:openshift-kube-controller-manager-operator:kube-controller-manager-operator
      system:serviceaccount:openshift-kube-controller-manager:installer-sa
      system:serviceaccount:openshift-kube-controller-manager:localhost-recovery-client
      system:serviceaccount:openshift-kube-scheduler-operator:openshift-kube-scheduler-operator
      system:serviceaccount:openshift-kube-scheduler:installer-sa
      system:serviceaccount:openshift-kube-scheduler:localhost-recovery-client
      system:serviceaccount:openshift-kube-storage-version-migrator-operator:kube-storage-version-migrator-operator
      system:serviceaccount:openshift-kube-storage-version-migrator:kube-storage-version-migrator-sa
      system:serviceaccount:openshift-machine-config-operator:default
      system:serviceaccount:openshift-network-operator:default
      system:serviceaccount:openshift-oauth-apiserver:oauth-apiserver-sa
      system:serviceaccount:openshift-operator-lifecycle-manager:olm-operator-serviceaccount
      system:serviceaccount:openshift-service-ca-operator:service-ca-operator
      system:serviceaccount:recycle-pvs:recycle-pvs-sa
      Groups: system:cluster-admins
      system:masters

      [cloud-user@ocp-ipi-executor-xl ~]$

      Expected results:
      The command output should list system:cluster-readers group

      Additional info:

              rh-ee-alromero Alvaro Romero
              rhn-support-dbasunag Debarati Basu-Nag
              Debarati Basu-Nag Debarati Basu-Nag
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: