-
Bug
-
Resolution: Not a Bug
-
Major
-
None
-
4.12.0
-
None
-
Important
-
None
-
Proposed
-
False
-
Description of problem:
Cluster-reader cannot list network-attachment-definitions
Version-Release number of selected component (if applicable):
it should happen on any versions
How reproducible:
100%
Steps to Reproduce:
1. create a regular user 'test', reference for creating the 'test' user: https://github.com/openshift/console/blob/master/test-prow-e2e.sh#L52 2. assign cluster-reader role to this user: $ oc adm policy add-cluster-role-to-user cluster-reader test 3. try to list some resources: $ oc get pod --all-namespaces | head -n 2 NAMESPACE NAME READY STATUS RESTARTS AGE alitke virt-launcher-fedora-blue-shark-45r8s 0/1 Completed 0 6d11h $ oc get vm --all-namespaces | head -n 2 NAMESPACE NAME AGE STATUS READY alitke fedora-blue-shark 97d Running True $ oc get network-attachment-definitions --all-namespaces Error from server (Forbidden): network-attachment-definitions.k8s.cni.cncf.io is forbidden: User "test" cannot list resource "network-attachment-definitions" in API group "k8s.cni.cncf.io" at the cluster scope
Actual results:
the cluster-reader user can list other resources but not network-attachment-definitions
Expected results:
the cluster-reader user can list network-attachment-definitions
Additional info:
there is a similar issue in the past: https://bugzilla.redhat.com/show_bug.cgi?id=1721444