-
Bug
-
Resolution: Not a Bug
-
Undefined
-
None
-
4.15.z
-
None
-
No
-
False
-
Description of problem:
clusterrole "system:route" is able to get routes under all namespaces, cluster admin binds clusterrole "system:route" to user testuser-12
$ oc describe clusterrole system:router Name: system:router Labels: <none> Annotations: rbac.authorization.kubernetes.io/autoupdate: true PolicyRule: Resources Non-Resource URLs Resource Names Verbs --------- ----------------- -------------- ----- tokenreviews.authentication.k8s.io [] [] [create] subjectaccessreviews.authorization.k8s.io [] [] [create] endpoints [] [] [list watch] routes [] [] [list watch] services [] [] [list watch] endpointslices.discovery.k8s.io [] [] [list watch] routes.route.openshift.io [] [] [list watch] routes/status [] [] [update] routes.route.openshift.io/status [] [] [update] $ oc adm policy add-cluster-role-to-user system:router testuser-12 clusterrole.rbac.authorization.k8s.io/system:router added: "testuser-12"
oc login with testuser-12 user
# oc login https://api.**.qe.devcluster.openshift.com:6443 -u testuser-12 -p *** WARNING: Using insecure TLS client config. Setting this option is not supported! Login successful. You don't have any projects. You can try to create a new project, by running oc new-project <projectname>
testuser-12 user can get all routes under the project, but can not get one specific routes under the project
# oc get routes -n openshift-monitoring NAME HOST/PORT PATH SERVICES PORT TERMINATION WILDCARD alertmanager-main alertmanager-main-openshift-monitoring.apps.qe-uidaily-0301.qe.devcluster.openshift.com /api alertmanager-main web reencrypt/Redirect None prometheus-k8s prometheus-k8s-openshift-monitoring.apps.qe-uidaily-0301.qe.devcluster.openshift.com /api prometheus-k8s web reencrypt/Redirect None prometheus-k8s-federate prometheus-k8s-federate-openshift-monitoring.apps.qe-uidaily-0301.qe.devcluster.openshift.com /federate prometheus-k8s web reencrypt/Redirect None thanos-querier thanos-querier-openshift-monitoring.apps.qe-uidaily-0301.qe.devcluster.openshift.com /api thanos-querier web reencrypt/Redirect None # oc get routes thanos-querier -n openshift-monitoring Error from server (Forbidden): routes.route.openshift.io "thanos-querier" is forbidden: User "testuser-12" cannot get resource "routes" in API group "route.openshift.io" in the namespace "openshift-monitoring" # oc get routes -n openshift-console NAME HOST/PORT PATH SERVICES PORT TERMINATION WILDCARD console console-openshift-console.apps.qe-uidaily-0301.qe.devcluster.openshift.com console https reencrypt/Redirect None downloads downloads-openshift-console.apps.qe-uidaily-0301.qe.devcluster.openshift.com downloads http edge/Redirect None # oc get routes console -n openshift-console Error from server (Forbidden): routes.route.openshift.io "console" is forbidden: User "testuser-12" cannot get resource "routes" in API group "route.openshift.io" in the namespace "openshift-console"
Version-Release number of selected component (if applicable):
oc client/server version: 4.15.0-0.nightly-2024-02-29-161507
How reproducible:
always
Steps to Reproduce:
1. see the description
Actual results:
clusterrole system:router can get all routes under one project, but can not get one specific routes under the project
Expected results:
can get the specific routes under the project