Uploaded image for project: 'OpenShift Virtualization'
  1. OpenShift Virtualization
  2. CNV-71253

Inconsistent RBAC behavior between Virtualization web console plug-in and the CLI

XMLWordPrintable

    • Quality / Stability / Reliability
    • 2
    • False
    • Hide

      None

      Show
      None
    • False
    • None
    • Important
    • Customer Reported
    • None

      Description of problem:

      While attempting to configure different roles for developing, managing and using VMs managed by the Openshift Virtualization Operator in OpenShift, it was found that a user who has been given the ability to update the `virtualmachine/start`, `virtualmachine/stop` and `virtualmachine/restart` subresources can manage these on the CLI, but not on the web console, unless also given update permissions on the root `virtualmachine` resource.

Adding this also permitted the user to add ephemeral storage or existing cluster PVCs, but not create a new empty disk, unless the "addvolume" and "removevolume" subresources were added

      Version-Release number of selected component (if applicable):

      The behavior was replicated in a lab in AWS using OpenShift 4.18.13 and OpenShift Virualization Operator 4.18.13

      How reproducible:

      Easily

      Steps to Reproduce:

      1. Deploy a cluster with the Virtualization operator and create an instance to initialise it
2. Create a project for the virtual machines, for example `vm-project`
3. Create any kind of VM in the project
4. Create a new user without any cluster admin privileges, eg `vmmanager`
5. Create groups, cluster roles and role bindings for the user, eg:
 
$ cat vm-manager-rbac.yaml 
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  labels:
    kubevirt.io: ""
  name: vm-manager-role
rules:
  - apiGroups:
    - subresources.kubevirt.io
    resources:
      - virtualmachineinstances/console
      - virtualmachineinstances/vnc
    verbs:
      - get
  - apiGroups:
      - subresources.kubevirt.io
    resources:
      - virtualmachines/start
      - virtualmachines/stop
      - virtualmachines/restart
    verbs:
      - update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: vm-managers
  namespace: vm-project
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: vm-manager-role
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: vm-managers
---
apiVersion: user.openshift.io/v1
kind: Group
metadata:
  name: vm-managers
users:
- vmmanager
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: vm-project-view-role
  namespace: vm-project
subjects:
  - kind: Group
    name: vm-managers
    apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: view
  apiGroup: rbac.authorization.k8s.io


6. Observe that the user cannot manage the running state of the VM from the web console
7. Confirm that the user can manage the running state from the CLI using the `virtctl` tool
8. Append the following to the cluster role `vm-manager-role` resource:

~~~
  - apiGroups:
       - kubevirt.io
     resources:
       - virtualmachines
     verbs:
       - patch
       - update
~~~

9. Observe that the user can now manage the running state of the VM from the web console

      Actual results:

      The privileges a user has appears to differ between the CLI and the web console

      Expected results:

      The privileges are consistent between the CLI and web console

        1. clusterrole-vm-manager-role.yaml
          2 kB

              rh-ee-gkremer Gal Kremer
              rhn-support-pauwebst Paul Webster
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated: