Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-12854

`cluster-reader` role cannot access "k8s.ovn.org" API Group resources

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Normal
    • None
    • 4.12.z, 4.11.z, 4.10.z
    • None
    • Moderate
    • No
    • ShiftStack Sprint 235
    • 1
    • False
    • Hide

      None

      Show
      None

    Description

      This is a clone of issue OCPBUGS-11550. The following is the description of the original issue:

      Description of problem:

      `cluster-reader` ClusterRole should have ["get", "list", "watch"] permissions for a number of privileged CRs, but lacks them for the API Group "k8s.ovn.org", which includes CRs such as EgressFirewalls, EgressIPs, etc.

      Version-Release number of selected component (if applicable):

      OCP 4.10 - 4.12 OVN

      How reproducible:

      Always

      Steps to Reproduce:

      1. Create a cluster with OVN components, e.g. EgressFirewall
      2. Check permissions of ClusterRole `cluster-reader`

      Actual results:

      No permissions for OVN resources 

      Expected results:

      Get, list, and watch verb permissions for OVN resources

      Additional info:

      Looks like a similar bug was opened for "network-attachment-definitions" in OCPBUGS-6959 (whose closure is being contested).

      Attachments

        Issue Links

          Activity

            People

              ffernand@redhat.com Flavio Fernandes (Inactive)
              openshift-crt-jira-prow OpenShift Prow Bot
              Jean Chen Jean Chen
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: