We identified a discrepancy in the cluster-reader ClusterRole between OpenShift 4.14 and OpenShift 4.16. Specifically, the cluster-reader role in OpenShift 4.16 includes permissions for delete, create, update, and patch verbs, which are unexpected for this role.

We identified that the cluster-reader ClusterRole in OpenShift 4.16 uses an aggregationRule to pull rules from other ClusterRoles matching the following labels:

rbac.authorization.k8s.io/aggregate-to-cluster-reader: "true"
rbac.authorization.k8s.io/aggregate-to-view: "true"

Further investigation revealed that the system:openshift:machine-config-operator:cluster-reader ClusterRole contributes specific rules under the machineconfiguration.openshift.io API group. These permissions include:

Resources: machineconfignodes, machineconfignodes/status, machineosconfigs, machineosconfigs/status, machineosbuilds, machineosbuilds/status
Verbs: get, list, watch, delete, create, update, patch

The identified permissions appear to originate from the MCO and are linked to the following pull requests:

PR 4062 (OCPBUGS-24416)
PR 4327 (MCO-1131)

Request:

Can the MCO team confirm if these additional permissions are intentional? If not, adjustments may be required as the cluster-reader role should not include delete, create, update, or patch verbs.

4.16

100%    

1. Deploy a fresh OpenShift 4.16 environment. 
2. Inspect the rules under the cluster-reader ClusterRole. 
3. Observe the inclusion of delete, create, update, and patch verbs for resources under the machineconfiguration.openshift.io API group.

The cluster-reader ClusterRole in OpenShift 4.16 includes unexpected permissions for the above-mentioned verbs. 

The cluster-reader ClusterRole in OpenShift 4.16 should not have delete, create, update, and patch verbs. 

This behavior deviates from the expected permissions in earlier versions (e.g., OpenShift 4.14) and could lead to potential security or operational concerns.