Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-13013

`cluster-reader` role cannot access "k8s.ovn.org" API Group resources

    XMLWordPrintable

Details

    • Moderate
    • No
    • ShiftStack Sprint 235, OSDOCS Sprint 236
    • 2
    • Rejected
    • False
    • Hide

      None

      Show
      None

    Description

      This is a clone of issue OCPBUGS-12854. The following is the description of the original issue:

      This is a clone of issue OCPBUGS-11550. The following is the description of the original issue:

      Description of problem:

      `cluster-reader` ClusterRole should have ["get", "list", "watch"] permissions for a number of privileged CRs, but lacks them for the API Group "k8s.ovn.org", which includes CRs such as EgressFirewalls, EgressIPs, etc.

      Version-Release number of selected component (if applicable):

      OCP 4.10 - 4.12 OVN

      How reproducible:

      Always

      Steps to Reproduce:

      1. Create a cluster with OVN components, e.g. EgressFirewall
2. Check permissions of ClusterRole `cluster-reader`

      Actual results:

      No permissions for OVN resources

      Expected results:

      Get, list, and watch verb permissions for OVN resources

      Additional info:

      Looks like a similar bug was opened for "network-attachment-definitions" in OCPBUGS-6959 (whose closure is being contested).

      Attachments

        Issue Links

          blocks

          Bug - A problem that impairs or prevents the functions of the product. OCPBUGS-13661 `cluster-reader` role cannot access "k8s.ovn.org" API Group resources

          • Normal - To be worked after urgent and high priorities are resolved. This term is chosen when the severity of an issue is relatively close to the level of effort to fix it. The existence of an easily implemented workaround can also lead to this priority level instead of a higher priority.
          • Closed
          clones

          Bug - A problem that impairs or prevents the functions of the product. OCPBUGS-12854 `cluster-reader` role cannot access "k8s.ovn.org" API Group resources

          • Normal - To be worked after urgent and high priorities are resolved. This term is chosen when the severity of an issue is relatively close to the level of effort to fix it. The existence of an easily implemented workaround can also lead to this priority level instead of a higher priority.
          • Closed
          is blocked by

          Bug - A problem that impairs or prevents the functions of the product. OCPBUGS-12854 `cluster-reader` role cannot access "k8s.ovn.org" API Group resources

          • Normal - To be worked after urgent and high priorities are resolved. This term is chosen when the severity of an issue is relatively close to the level of effort to fix it. The existence of an easily implemented workaround can also lead to this priority level instead of a higher priority.
          • Closed
          is cloned by

          Bug - A problem that impairs or prevents the functions of the product. OCPBUGS-13661 `cluster-reader` role cannot access "k8s.ovn.org" API Group resources

          • Normal - To be worked after urgent and high priorities are resolved. This term is chosen when the severity of an issue is relatively close to the level of effort to fix it. The existence of an easily implemented workaround can also lead to this priority level instead of a higher priority.
          • Closed
          links to

          GitHub openshift/cluster-network-operator#1799: [release-4.12] OCPBUGS-13013: AUTH: update cluster-reader to include k8s.ovn.org

          Activity

            People

              ffernand@redhat.com Flavio Fernandes (Inactive)
              openshift-crt-jira-prow OpenShift Prow Bot
              Jean Chen Jean Chen
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: