Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Not a Bug
Priority: Critical
Fix Version/s: None
Affects Version/s: 4.12.z
Component/s: OLM / OperatorHub
Labels:
None

Severity:
Moderate
Regression:
No
Sprint:
OPECO 233
sprint_count:
1
Release Blocker:
Rejected
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Discussion Needed:

OCP Eng Mgmt
Customer Impact:

Customer Escalated

SFDC Cases Counter:
SFDC Cases Links:

Description

Description of problem:

OpenShift compliance rule is failing "ocp4-cis-rbac-wildcard-use " because operatorgroup have one clusterrole which using wildcard permission means violating the CIS benchmark.

Clusterrole with a wildcard -
~~~
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
creationTimestamp: "2022-03-29T18:46:01Z"
labels:
olm.opgroup.permissions/aggregate-to-29f560e63c769514-admin: "true"
rbac.authorization.k8s.io/aggregate-to-admin: "true"
name: namespacescopes.operator.ibm.com-v1-admin <--------- Name comes from the CRD name + "admin"
ownerReferences:

apiVersion: apiextensions.k8s.io/v1
blockOwnerDeletion: false
controller: false
kind: CustomResourceDefinition
name: namespacescopes.operator.ibm.com
uid: 381095c3-fdea-4009-8eba-686f276b7ac5
resourceVersion: "19255855"
selfLink: /apis/rbac.authorization.k8s.io/v1/clusterroles/namespacescopes.operator.ibm.com-v1-admin
uid: 90bef156-0c35-4edd-86d3-46f12259b10c
rules:
apiGroups:
operator.ibm.com
resources:
namespacescopes
verbs:
'*' <----------- This is the issue
~~~~

I found the github issue for same, Are you targeting this issue in OpenSHift ?

https://github.com/operator-framework/operator-lifecycle-manager/issues/2727

Attachments

Activity

People

Assignee:: Jordan Keister

Reporter:: Asmita Gawand

QA Contact:: Kui Wang

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Dates

Created:: 2023/03/04 8:23 AM

Updated:: 2023/03/31 12:50 PM

Resolved:: 2023/03/20 6:29 PM