Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-60802

If using a Cluster Admin and a misspelling of a namespace it does not fail

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Not a Bug
    • Icon: Normal Normal
    • None
    • 4.18
    • Documentation / Authentication
    • None
    • Quality / Stability / Reliability
    • False
    • Hide

      None

      Show
      None
    • None
    • Moderate
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None

      Description of problem:

      The is no error for when using the credentials of a cluster admin compared to a service account when viewing inventory of a namespace that is misspelled

      Version-Release number of selected component (if applicable):

      4.16, 4.17, 4.18

      How reproducible:

      100%

      Steps to Reproduce:

      1. Create a service account

2. Create a Role
~~~
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: kubevirt-ansible
  namespace: example
rules:
- apiGroups:
  - ""
  resources:
  - services
  verbs:
  - get
  - list
- apiGroups:
  - kubevirt.io
  resources:
  - virtualmachine
  - virtualmachineinstances
  verbs:
  - get
  - list
  - watch
  - create
~~~

3. Create rolebinding
~~~
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: kubevirt-ansible
  namespace: example
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: kubevirt-ansible
subjects:
- kind: ServiceAccount
  name: kubevirt-ansible
~~~

4. Create token `oc create token kubevirt-ansible --duration=$((365*24))h -n example`

5. Set token and the api_key with a misspelled namespace
~~~
plugin: kubevirt.core.kubevirt
connections:
  - host: https://api.test3.example.com:6443
    api_key: eyJhbGciOiJSUzI1NiIsImtpZCI6InRqd1djX05IMlp1dmFnZEdORmZlU0E5NEFaQ0VDalluY2tfb0h3Y0VZbjgifQ.eyJhdWQiOlsiaHR0cHM6Ly9rdWJlcm5ldGVzLmRlZmF1bHQuc3ZjIl0sImV4cCI6MTc4NjgyNTEyMiwiaWF0IjoxNzU1Mjg5MTIyLCJpc3MiOiJodHRwczovL2t1YmVybmV0ZXMuZGVmYXVsdC5zdmMiLCJqdGkiOiIyYjY4YWFiNS1iZTk5LTQwODctOWM2Yy1hYTA2MzJhM2JhMzYiLCJrdWJlcm5ldGVzLmlvIjp7Im5hbWVzcGFjZSI6ImNoYW5kbGVyIiwic2VydmljZWFjY291bnQiOnsibmFtZSI6Imt1YmV2aXJ0LWFuc2libGUiLCJ1aWQiOiIzOTA4N2RiYy03YTM5LTQxY2YtOWVmYi1lZjg5N2JlNmMzODgifX0sIm5iZiI6MTc1NTI4OTEyMiwic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50OmNoYW5kbGVyOmt1YmV2aXJ0LWFuc2libGUifQ.No_7mWvGIWg5ewRSD0yfFv6SY6gqNLrJI4wPA0xV8kDb1lSf6oDvWUKXGl7RfHNeEsD-ITOY9tO04c_zC5zx3HvmyhriN7H7ssH36w9qiudVZ0lhEGWKk-R0zQ1Oo9slrUeDGB4C04L3wEFG8CAp8a_i8wz8zzyN5nPXYuUtfV9f3MF58O0n2Wjv9NheeTpj_d1Hy7oNED9iDTaRF94boRSbf8YDsfpy6PENZk-yI_fKgxegpHtPBV4C6PLS7f02olgDwBOZN1Vb3hvXcyCSrIjnbXpww9SxdUl5L9JHNjm19ULUzZarRlSvKYWeaQv1R3yMWp-A2g1KJ1ljyPCctmMJcfKagO6JBy5IgmFOXiIroxO6MQsr81N3YuV5CzqLZBpH1DKS8mmsHRHlzdVLDqkwXjBB3OzAg1hNIP9FgGOZdRww8cpDa9XgYvKo00fi3CjwThX1z9DpkNCymaIwyPbETsQlvmj4mmSJvfT8Lh3cPkazDLM4r6wy71wWl1Up_qCuFiS1kbovEBXyTPF4M0QgBfZ_5zANQQD7soNpHZ-DuAEnOGhmnjPpUy6hMP6aKK5OaMaeBWyFM0B7BbihfXvgaLdGjA78g2Uq1XK5tp6rp_LwuwH3Aw5HxqTlLuCgM_6XI6MZX6WKPehBj0RM6uA4ZAuoinAEwdUifyvYZ_Q
    validate_certs: false
    namespaces:
      - misspell
~~~

6. In my case install ansible-galaxy collection install kubevirt.core

7. Test to see if you get a list. with the sa you will see the error.  If you use cluster-admin it is successful

      Actual results:

      When using non cluster admin 
~~~
    [WARNING]: * Failed to parse /runner/inventory/kubevirt.yml with auto plugin:
Error fetching VirtualMachineInstance list: virtualmachineinstances.kubevirt.io
is forbidden: User "system:serviceaccount:example:kubevirt-ansible" cannot list resource "virtualmachineinstances" in API group "kubevirt.io"
in the namespace "example"
~~~

- When using a cluster admin user:
~~~
[WARNING]: Collection kubevirt.core does not support Ansible version 2.14.17
[WARNING]: Collection kubernetes.core does not support Ansible version 2.14.17
[DEPRECATION WARNING]: The 'connections' parameter is deprecated and now supports only a single list entry. This feature will be removed from kubevirt.core in version 3.0.0. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg.
[DEPRECATION WARNING]: Move all of your connection parameters to the configuration top level. This feature will be removed from kubevirt.core in version 3.0.0. Deprecation warnings can be disabled by setting deprecation_warnings=False in ansible.cfg.
/usr/lib/python3.9/site-packages/urllib3/connectionpool.py:1018: InsecureRequestWarning: Unverified HTTPS request is being made to host 'api.test3.tt.testing'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings
  warnings.warn(
[WARNING]: provided hosts list is empty, only localhost is available. Note that the implicit localhost does not match 'all'
  hosts (0):
~~~

      Expected results:

      If there is no namespace that matches when using a cluster admin, this should fail in a similar manner as the sa in a namespace.

      Additional info:

       

       

              Unassigned Unassigned
              rhn-support-schandle Samuel Chandler
              None
              None
              Xingxing Xia Xingxing Xia
              None
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: