Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Checking permissions for using Kubernetes/OpenShift components fails for regular users #1049

Closed
amisevsk opened this issue Feb 21, 2023 · 0 comments · Fixed by #1050
Closed

Checking permissions for using Kubernetes/OpenShift components fails for regular users #1049

amisevsk opened this issue Feb 21, 2023 · 0 comments · Fixed by #1050
Assignees
@amisevsk
Milestone
v0.20.x

Comments

@amisevsk
Copy link
Collaborator

amisevsk commented Feb 21, 2023
edited
Loading

Description

When verifying RBAC for Kubernetes components in a DevWorkspace, DWO checks whether the user is able to work with this object in the current namespace. To avoid multiple SAR tests per request, the webhook server checks that the user can * the relevant resource, equivalent to

oc auth can-i '*' <resource> -n <namespace>

However, even if the user has admin privileges, granting all individual verbs for the resource, the SAR request appears to check if the user explictly has * permissions, causing the check to fail.

How To Reproduce

  1. Create a regular user in an OpenShift cluster and create a namespace for testing
  2. (optional) Verify the user can use all verbs on pods: 
    for verb in create delete deletecollection get list patch update watch; do oc auth can-i $verb pods -n $NAMESPACE; done
  3. (optional) Verify the user cannot * pods: 
    oc auth can-i '*' pods -n $NAMESPACE
  4. Create a DevWorkspace that has a pod component

Expected behavior

Check should be improved to avoid this issue.

Additional context
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@amisevsk amisevsk

Labels
None yet
Projects
None yet
Milestone
v0.20.x
Development

Successfully merging a pull request may close this issue.

Update verbs used to check SAR for users when k8s components are used amisevsk/devworkspace-operator
1 participant
@amisevsk