Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-11550

`cluster-reader` role cannot access "k8s.ovn.org" API Group resources

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done-Errata
    • Icon: Normal Normal
    • 4.14.0
    • 4.12.z, 4.11.z, 4.10.z
    • Networking / ovn-kubernetes
    • None
    • Moderate
    • No
    • SDN Sprint 234, SDN Sprint 235, SDN Sprint 236
    • 3
    • False
    • Hide

      None

      Show
      None
    • N/A
    • Release Note Not Required

      Description of problem:

      `cluster-reader` ClusterRole should have ["get", "list", "watch"] permissions for a number of privileged CRs, but lacks them for the API Group "k8s.ovn.org", which includes CRs such as EgressFirewalls, EgressIPs, etc.

      Version-Release number of selected component (if applicable):

      OCP 4.10 - 4.12 OVN

      How reproducible:

      Always

      Steps to Reproduce:

      1. Create a cluster with OVN components, e.g. EgressFirewall
2. Check permissions of ClusterRole `cluster-reader`

      Actual results:

      No permissions for OVN resources

      Expected results:

      Get, list, and watch verb permissions for OVN resources

      Additional info:

      Looks like a similar bug was opened for "network-attachment-definitions" in OCPBUGS-6959 (whose closure is being contested).

              ffernand@redhat.com Flavio Fernandes (Inactive)
              rhn-support-jorbell Jordan Bell
              Jean Chen Jean Chen
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: