Uploaded image for project: 'OpenShift Virtualization'
  1. OpenShift Virtualization
  2. CNV-32812

[2237949] Global permission [*] is seen in openshift-virtualization csv file for hostpath-provisioner-operator

XMLWordPrintable

    • Storage Core Sprint 248, Storage Core Sprint 249, Storage Core Sprint 250, Storage Core Sprint 251
    • High
    • No

      +++ This bug was initially created as a clone of Bug #2183659 +++

      Description of problem:
      For Jira: https://issues.redhat.com/browse/CNV-22907, we added a test scraping openshift-virtualization csv to validate that none of the components has too open global permission set. For Storage I don't see any open jira indicating the work is pending, but both cdi-operator and hpp-operator shows [*] permission on multiple resources. Logging this to track that.

      Version-Release number of selected component (if applicable):
      4.13.0

      How reproducible:
      100%

      Steps to Reproduce:
      1. Check openshift virtualization csv for global permission verbs
      2.
      3.

      Actual results:
      For cdi-operator:
      ================
      cluster_permission:

      • permission-verbs:
      • '*'
        resource:
      • clusterrolebindings
      • clusterroles
      • permission-verbs:
      • '*'
        resource:
      • customresourcedefinitions
      • customresourcedefinitions/status
      • permission-verbs:
      • '*'
        resource:
      • '*'
      • permission-verbs:
      • '*'
        resource:
      • validatingwebhookconfigurations
      • mutatingwebhookconfigurations
      • permission-verbs:
      • '*'
        resource:
      • apiservices
      • permission-verbs:
      • '*'
        resource:
      • cdis/finalizers
      • permission-verbs:
      • '*'
        resource:
      • '*'
      • permission-verbs:
      • '*'
        resource:
      • '*'
        permission:
      • permission-verbs:
      • '*'
        resource:
      • rolebindings
      • roles
      • permission-verbs:
      • '*'
        resource:
      • serviceaccounts
      • configmaps
      • events
      • secrets
      • services
      • permission-verbs:
      • '*'
        resource:
      • deployments
      • deployments/finalizers
      • permission-verbs:
      • '*'
        resource:
      • routes
      • routes/custom-host
      • permission-verbs:
      • '*'
        resource:
      • leases

      ==============
      for HPP operator
      ==============
      cluster_permission:

      • permission-verbs:
      • '*'
        resource:
      • persistentvolumes
      • permission-verbs:
      • '*'
        resource:
      • '*'
        permission:
      • permission-verbs:
      • '*'
        resource:
      • leases
      • permission-verbs:
      • '*'
        resource:
      • csistoragecapacities

      Expected results:
      No global permission set for any resource.

      Additional info:

      — Additional comment from Alex Kalenyuk on 2023-09-04 13:43:06 UTC —

      CDI should be good to go, however, I think it makes sense to create a clone for the HPP unit of work

            akalenyu Alex Kalenyuk
            rhn-support-dbasunag Debarati Basu-Nag
            Debarati Basu-Nag
            Debarati Basu-Nag Debarati Basu-Nag
            Votes:
            0 Vote for this issue
            Watchers:
            8 Start watching this issue

              Created:
              Updated:
              Resolved: