Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1689457 - openshift sdn service account has cluster-reader
Summary: openshift sdn service account has cluster-reader
Keywords:
Status: NEW
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking
Version: 3.11.0
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: 3.11.z
Assignee: Dan Winship
QA Contact: Meng Bo
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-03-15 23:17 UTC by Jim Minter
Modified: 2019-04-10 14:53 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Target Upstream Version:


Attachments (Terms of Use)

Description Jim Minter 2019-03-15 23:17:49 UTC
At least on 3.11, the openshift-sdn/sdn service account is given the cluster-reader.  It ought to be possible for it to run with less (e.g. cf sdn-reader); ideally it should.

Would be great to see this improved in 4.x.

https://github.com/openshift/openshift-ansible/blob/70df84993613db779e101adbdb0d14ebe613cccd/roles/openshift_sdn/files/sdn-policy.yaml#L9-L18

Comment 1 Dan Winship 2019-03-28 16:30:01 UTC
(In reply to Jim Minter from comment #0)
> Would be great to see this improved in 4.x.

permissions were redone in 4.x; the cluster-network-operator now creates its own ClusterRole/ClusterRoleBinding with just the permissions it needs. (Hm... although Origin still creates the old one too even though nothing uses it now. I'll file a PR for that.)

This could still potentially be fixed in 3.11.z

Comment 2 Dan Winship 2019-03-28 16:51:58 UTC
(filed https://github.com/openshift/origin/pull/22428 about cleaning up the unused roles in 4.1)

Comment 3 Ben Bennett 2019-04-09 13:16:39 UTC
@Dan: Are you going to have time to do anything for this for 4.1?  Is it worth the risk of a change at this date?

Comment 4 Dan Winship 2019-04-09 14:17:46 UTC
This bug is only about the situation in 3.11. It is already fixed in 4.1. (The issue of there being unused roles in 4.1 is separate, and doesn't matter security-wise, since the role is unused so it doesn't matter what permissions it has.)


Note You need to log in before you can comment on or make changes to this bug.