-
Bug
-
Resolution: Done
-
Normal
-
4.12.z, 4.11.z, 4.10.z
-
None
-
Moderate
-
No
-
ShiftStack Sprint 235, OSDOCS Sprint 236
-
2
-
Rejected
-
False
-
This is a clone of issue OCPBUGS-12854. The following is the description of the original issue:
—
This is a clone of issue OCPBUGS-11550. The following is the description of the original issue:
—
Description of problem:
`cluster-reader` ClusterRole should have ["get", "list", "watch"] permissions for a number of privileged CRs, but lacks them for the API Group "k8s.ovn.org", which includes CRs such as EgressFirewalls, EgressIPs, etc.
Version-Release number of selected component (if applicable):
OCP 4.10 - 4.12 OVN
How reproducible:
Always
Steps to Reproduce:
1. Create a cluster with OVN components, e.g. EgressFirewall 2. Check permissions of ClusterRole `cluster-reader`
Actual results:
No permissions for OVN resources
Expected results:
Get, list, and watch verb permissions for OVN resources
Additional info:
Looks like a similar bug was opened for "network-attachment-definitions" in OCPBUGS-6959 (whose closure is being contested).
- blocks
-
OCPBUGS-13661 `cluster-reader` role cannot access "k8s.ovn.org" API Group resources
- Closed
- clones
-
OCPBUGS-12854 `cluster-reader` role cannot access "k8s.ovn.org" API Group resources
- Closed
- is blocked by
-
OCPBUGS-12854 `cluster-reader` role cannot access "k8s.ovn.org" API Group resources
- Closed
- is cloned by
-
OCPBUGS-13661 `cluster-reader` role cannot access "k8s.ovn.org" API Group resources
- Closed
- links to