-
Bug
-
Resolution: Done-Errata
-
Normal
-
None
-
4.17.z
-
Quality / Stability / Reliability
-
False
-
-
1
-
Low
-
None
-
None
-
None
-
uShift Sprint 265, uShift Sprint 266
-
2
-
None
-
Release Note Not Required
-
None
-
None
-
None
-
None
-
None
Description of problem:
When trying to expose a service to create a route, user with the "clusterrole/edit" on the namespace is getting: ////////// Error from server (Forbidden): routes.route.openshift.io is forbidden: User "system:serviceaccount:<>" cannot create resource "routes" in API group "route.openshift.io" in the namespace This is caused by missing permissions on the route in the cluster role edit. ~~~ # oc get clusterrole edit -o yaml | grep -i route ~~~ However, checking the OpenShift, the same role, the output is: ~~~ # oc get clusterrole edit -o yaml | grep -i route - route.openshift.io - routes - route.openshift.io - routes/custom-host - route.openshift.io - routes/status - route.openshift.io - routes ~~~ It means that either the role is incomplete or incorrectly added.
Version-Release number of selected component (if applicable):
MicroShift 4.17
How reproducible:
# oc get clusterrole edit -o yaml | grep -i route Or create service account, add the "edit" role and check if you can create Route under the service account.
Steps to Reproduce:
1.
2.
3.
Actual results:
Expected results:
Additional info:
I wasn't able to find the reference to the clusterrole/edit in the github repo.
- clones
-
-
- Closed
-
- is blocked by
-
-
- Closed
-
- links to
-
RHSA-2024:6124
OpenShift Container Platform 4.18.z security update