-
Bug
-
Resolution: Done-Errata
-
Undefined
-
None
-
None
-
0.42
-
False
-
-
False
-
---
-
---
-
-
No
We are using OCP 4.14.11 along with OpenShift Virtualization 4.14.4.
We logged into OpenShift web console using a user with customized RBAC access rights. We went to Virtualization -> Catalog and clicked on Fedora VM template. In the dialog that opened up, the "Customize VirtualMachine" button was disabled (grayed out). It took us some investigation to figure out why the button was disabled while all other OpenShift Virtualization functionality worked normally.
It turned out that the state of the "Customize VirtualMachine" button is determined by the result of an selfsubjectaccessreview request. This request checks that the user is allowed to create a processedtemplate resource.
There are two processedtemplates resources in the OpenShift API:
- The original processedtemplates that is part of core API group "".
- The successor processedtemplates that is part of the template.openshift.io API group.
Unfortunately, the selfsubjectaccessreview that determines the state of the "Customize VirtualMachine" button checks the processedtemplates in the core API group while other code in OpenShift Virtualization console plugin uses the processedtemplates from the template.openshift.io group. This led to a confusion for us. See the three screenshots attached below.
In the customize_virtualmachine_1.png screenshot, if a user tries to instantiate a template, the error "processedtemplates.template.openshift.io is forbidden" is displayed.
We assigned the user a clusterrole like this one to resolve the issue:
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: example-1 rules: - apiGroups: - template.openshift.io resources: - processedtemplates verbs: - create
After assigning the clusterrole, the message disappeared but the "Customize VirtualMachine" remained disabled. See the screenshot customize_virtualmachine_2.png.
After a longer investigation, we finally figured out how to fix the button. We had to assign the user the following clusterrole:
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: example-1 rules: - apiGroups: - '' resources: - processedtemplates verbs: - create
The screenshot customize_virtualmachine_3.png, shows the fixed "Customize VirtualMachine" button.
It seems to me this issue could be fixed by changing the selfsubjectaccessreview request to include the group template.openshift.io. The request sent by the OpenShift Virtualization plugin shown in customize_virtualmachine_1.png would change to:
{ "apiVersion": "authorization.k8s.io/v1", "kind": "SelfSubjectAccessReview", "spec": { "resourceAttributes": { "namespace": "default", "resource": "processedtemplates", "verb": "create", "group": "template.openshift.io" } } }