Loading...

XML

Word

Printable

Details

Type: Story
Resolution: Done-Errata
Priority: Critical
Fix Version/s: OSSM 2.4.3
Affects Version/s: None
Component/s: Customer Impact, Maistra
Labels:
- gateway-api

Blocked:
False
Blocked Reason:
None
Ready:
False
Git Pull Request:
https://github.com/maistra/istio-operator/pull/1262

Target Version:

OSSM 2.5.0

SFDC Cases Links:
SFDC Cases Counter:

Description

The Cluster Ingress Operator can't deploy a cluster-wide SMCP, because it doesn't have cluster-admin privileges.

The OSSM operator currently performs a SubjectAccessReview with the following resourceAttributes:

authorizationv1.ResourceAttributes{
	Verb:     "*",
	Group:    "*",
	Resource: "*",
},

We should change this to only include the privileges that a cluster-wide istiod requires.

However, even after this change, the Cluster Ingress Operator may still not have all the required privileges, so we should first check what privileges it does have ~~(https://github.com/openshift/cluster-ingress-operator/blob/master/assets/router/cluster-role.yaml).~~ https://github.com/openshift/cluster-ingress-operator/blob/8eb2c667fd31a67d52c4d0ea6c5f014a9fe2ce0d/manifests/00-cluster-role.yaml and https://github.com/openshift/cluster-ingress-operator/blob/8eb2c667fd31a67d52c4d0ea6c5f014a9fe2ce0d/manifests/01-role.yaml

Attachments

Issue Links

causes

OCPBUGS-17752 [GWAPI] Update code with OSSM RBAC fix

New

links to

RHBA-2023:120107 Red Hat OpenShift Service Mesh Containers for 2.4.3

mentioned on

Merge request - Updated US source to: d289b79 OSSM-4194 Made change to the host in the DestinationRule v2.4 (#1232)

Merge request - Updated US source to: fedfebe OSSM-3508 Allow cluster-scoped SMCP when user has cluster-scoped create SMCP privilege (#1262)

Activity

People

Assignee:: Marko Luksa

Reporter:: Marko Luksa

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 2023/03/02 8:33 AM

Updated:: 2023/09/14 5:35 PM

Resolved:: 2023/09/14 5:35 PM