Uploaded image for project: 'MicroShift'
  1. MicroShift
  2. USHIFT-1663

Missing PodSecurityAdmission labelling RBAC

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Normal Normal
    • openshift-4.14
    • None
    • None
    • None
    • False
    • Hide

      None

      Show
      None
    • False
    • uShift Sprint 241, uShift Sprint 242, uShift Sprint 243

      Description of problem:

      MicroShift only deploys a subset of the RBAC required by the PSA.  To enable syncing namespaces with privileged access, the following manifests need to be included:

podsecurity-admission-label-syncer-controller-clusterrole.yaml[0]
podsecurity-admission-label-syncer-controller-clusterrolebinding.yaml[1]

Adding these will cure the following log lines being spammed:
... namespaces "default" is forbidden: User "system:serviceaccount:openshift-infra:privileged-namespaces-psa-label-syncer" cannot patch resource "namespaces" in API group
... namespaces "kube-public" is forbidden: User "system:serviceaccount:openshift-infra:privileged-namespaces-psa-label-syncer" cannot patch resource "namespaces" in API group
... namespaces "kube-system" is forbidden: User "system:serviceaccount:openshift-infra:privileged-namespaces-psa-label-syncer" cannot patch resource "namespaces" in API group

      How reproducible:

      100%

      Steps to Reproduce:

      1. Start microshift
2. Execute journalctl -u microshift |grep -Eo 'privileged_namespaces_controller.*' | sort -u
3. Output:

privileged_namespaces_controller.go:105] namespaces "default" is forbidden: User "system:serviceaccount:openshift-infra:privileged-namespaces-psa-label-syncer" cannot patch resource "namespaces" in API group "" in the namespace "default"
privileged_namespaces_controller.go:105] namespaces "kube-public" is forbidden: User "system:serviceaccount:openshift-infra:privileged-namespaces-psa-label-syncer" cannot patch resource "namespaces" in API group "" in the namespace "kube-public"
privileged_namespaces_controller.go:105] namespaces "kube-system" is forbidden: User "system:serviceaccount:openshift-infra:privileged-namespaces-psa-label-syncer" cannot patch resource "namespaces" in API group "" in the namespace "kube-system"

      Actual results:

      PSA privileged namespace label syncing is blocked

      Expected results:

      PSA privileged namespace label syncing should work and not generate the above logs.

      Additional info:

      [0] https://github.com/openshift/cluster-kube-controller-manager-operator/blob/master/bindata/assets/kube-controller-manager/podsecurity-admission-label-syncer-controller-clusterrole.yaml

[1] https://github.com/openshift/cluster-openshift-controller-manager-operator/blob/release-4.14/bindata/v3.11.0/openshift-controller-manager/route-controller-manager-clusterrolebinding.yaml

       

              jcope@redhat.com Jon Cope
              jcope@redhat.com Jon Cope
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: