operator-lifecycle-manager icon indicating copy to clipboard operation
operator-lifecycle-manager copied to clipboard

Published 20 hours ago verified publisher icon operator-framework

OLM allows edit cluster role users to create new resource

Open xiangjingli opened this issue 4 years ago • 5 comments

Bug Report

After installing an operator, one edit cluster role is generated by OLM, where create verb is added. That allows users with the the edit role can create new resources.

What did you do?

  1. Install Multicluster Subscription Operator from operator hub in Openshift.
  2. check the edit cluster role is generated with the create verb
% oc get clusterrole applications.app.k8s.io-v1beta1-edit -o yaml                          
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  creationTimestamp: "2020-06-21T04:34:40Z"
  labels:
    olm.opgroup.permissions/aggregate-to-6c3bb1110d0b9f9c-edit: "true"
    rbac.authorization.k8s.io/aggregate-to-edit: "true"
  name: applications.app.k8s.io-v1beta1-edit
  ownerReferences:
  - apiVersion: apiextensions.k8s.io/v1beta1
    blockOwnerDeletion: false
    controller: false
    kind: CustomResourceDefinition
    name: applications.app.k8s.io
    uid: 8e2952cd-71fc-4370-8d97-cd9c1f25d017
  resourceVersion: "66882843"
  selfLink: /apis/rbac.authorization.k8s.io/v1/clusterroles/applications.app.k8s.io-v1beta1-edit
  uid: 0bbc53d5-dd5d-4a73-a1ac-05afe5d3e2ef
rules:
- apiGroups:
  - app.k8s.io
  resources:
  - applications
  verbs:
  - create
  - update
  - patch
  - delete

What did you expect to see?

It seems edit role user should not be allowed to create new resources. On the other hand, we noticed that the create permission is widely applied in all openshift edit roles e.g. system:openshift:aggregate-to-edit

Could someone clarify if it is by Openshift/OLM Design?

xiangjingli avatar Jun 22 '20 21:06 xiangjingli

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Aug 22 '20 21:08 stale[bot]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Oct 22 '20 09:10 stale[bot]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Dec 21 '20 15:12 stale[bot]

This still seems to be a problem.

jnpacker avatar Sep 24 '21 15:09 jnpacker

Hi @joelanford do you have any insight around this area? Thanks.

mikeshng avatar Sep 24 '21 15:09 mikeshng