https://issues.redhat.com/browse/NETOBSERV-27 Requirements: - For a user with sufficient permissions (e.g. admin) using ovn-k network type, all network policy feature are available and no special information is displayed about it. - For a user with sufficient permissions (e.g. admin) using openshift-sdn network type, egress section and IP block exceptions are hidden, and no special information is displayed about it. - For a user with insufficient permissions to get the network type, all network policy features are visible but an informative message is displayed about potential unavailable features. ----------------- Testing: * Spun up cluster for PR openshift/console#9628. :~ % oc login --token=sha256~IR1QYL6o3CLbwlEd9QmSDHzAFpI9uQjtPMGShjFmlMw --server=https://api.ci-ln-kfw63mk-f76d1.origin-ci-int-gce.dev.openshift.com:6443 Logged into "https://api.ci-ln-kfw63mk-f76d1.origin-ci-int-gce.dev.openshift.com:6443" as "kube:admin" using the token provided. You have access to 65 projects, the list has been suppressed. You can list all projects with 'oc projects' Using project "default". :~ % *Fetched current networkType: :~ % oc get Network.config.openshift.io cluster -o json | jq '.spec.networkType' "OpenShiftSDN" :~ % :~ % oc whoami kube:admin :~ % *Verified on NetworkPolicies console: 1. "Egress" section is not visible. 2. "Deny all ingress traffic" checkbox is not visible. 3. No Special information is displayed. 4. What does "IP block" mean? ---- For case with OVN-K: *Spun up a cluster with PR #9628 and OVN-K: - :~ % oc get Network.config.openshift.io cluster -o json | jq '.spec.networkType' "OVNKubernetes" :~ % *Verified on NetworkPolicies console: 1. All features are available for Ingress and Egress without any special information dialogue. 2. Can se Exceptions too for "admin" user under IP Block for Ingress and Egress. 3. Created less privileged user "developer" and created project for this user, verified - Information Text dialogue box is seen for OpenShift SDN and Exceptions are visible under IP block Ingress and Egress rules for less privileged users as well. ---- For a case where user has insufficient permissions: **Created identity for additional users: :~ % htpasswd -c -B -b ~/netobserv25-user admin redhat Adding password for user admin :~ % htpasswd -b ~/netobserv25-user developer developer Adding password for user developer (**later file netobserv25-user was renamed to htpasswd) *Created secret: :~ % oc create secret generic localusers --from-file htpasswd=/Users/memodi/htpasswd -n openshift-config secret/localusers created :~ % oc adm policy add-cluster-role-to-user cluster-admin admin clusterrole.rbac.authorization.k8s.io/cluster-admin added: "admin" :~ % oc get oauth cluster -o yaml > cluster-oauth2.yaml cat cluster-oauth2.yaml apiVersion: config.openshift.io/v1 kind: OAuth metadata: annotations: include.release.openshift.io/ibm-cloud-managed: "true" include.release.openshift.io/self-managed-high-availability: "true" include.release.openshift.io/single-node-developer: "true" release.openshift.io/create-only: "true" creationTimestamp: "2021-08-05T18:09:29Z" generation: 3 managedFields: - apiVersion: config.openshift.io/v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:annotations: .: {} f:include.release.openshift.io/ibm-cloud-managed: {} f:include.release.openshift.io/self-managed-high-availability: {} f:include.release.openshift.io/single-node-developer: {} f:release.openshift.io/create-only: {} f:spec: {} manager: cluster-version-operator operation: Update time: "2021-08-05T18:09:29Z" - apiVersion: config.openshift.io/v1 fieldsType: FieldsV1 fieldsV1: f:spec: f:identityProviders: {} manager: Mozilla operation: Update time: "2021-08-05T19:47:51Z" name: cluster resourceVersion: "55086" uid: 2f32a71e-4421-4bfd-b497-c9aca2380430 spec:{} *Added below for "spec" identityProviders: - htpasswd: fileData: name: localusers mappingMethod: claim name: myusers type: HTPasswd *Replaced the oauth cluster config: :~ % oc replace -f ~/cluster-oauth2.yaml oauth.config.openshift.io/cluster replaced :~ % *Able to login as "admin" :~ % oc login -u admin -p redhat Login successful. You have access to 65 projects, the list has been suppressed. You can list all projects with 'oc projects' Using project "default". :~ % *Able to login as "developer" :~ % oc login -u developer -p developer Login successful. You don't have any projects. You can try to create a new project, by running oc new-project :~ % From Console: - Created new-project "testing-netobserv27" as a developer - logged back in as kube:admin, and granted "developer" for "network-diagnostics" CR under namespace "testing-netobserv27"; with that it received access in networking. *Verified from console: 1. Logged in as "myusers" Group as user "developer" 2. When creating new network policy: a. All features are visible. b. an information dialogue with below text is visible: Info alert: When using the OpenShift SDN cluster network provider: Egress network policy is not supported. IP block exceptions are not supported and would cause the entire IP block section to be ignored. Refer to your cluster administrator to know which network provider is used. More information: NetworkPolicies documentation -------------------- Case for SDN cluster and user with less privileges: :~ % oc get Network.config.openshift.io cluster -o json | jq '.spec.networkType' "OpenShiftSDN" Created a test-project. *Verified from console: 1. All network policies features are visible but with an informative message about potential unavailable features like IP block and Exceptions, Egress for OpenShift SDN.