joaquimrocha
commented
11 months ago Thanks @Denis220795 . We will look into that in the coming days hopefully.
Closed dioniseo closed 11 months ago
joaquimrocha
commented
11 months ago Thanks @Denis220795 . We will look into that in the coming days hopefully.
Hello, this issue is similar to https://github.com/headlamp-k8s/headlamp/issues/1490 but a little bit different and related to CustomResourceDefinition objects. I've tried to edit a Namespace scoped CustomResource (like ServiceMonitor or Certificate) with my namespace scoped service account that is bound to the cluster role admin.
Currently headlamp send incorrect resource name for CRD resources in the SelfSubjectAccessReview API call:
{"kind":"SelfSubjectAccessReview","apiVersion":"authorization.k8s.io/v1","spec":{"resourceAttributes":{"verb":"update","name":"my-servicemonitor","namespace":"my-namespace","group":"monitoring.coreos.com","version":"v1","resource":"crds"}}}Response:
"status": { "allowed": false }This request returns incorrect false response for a user who is admin in the namespace only and should have ability to edit these resources.
Note that resource is crds for all requests to all CustomResource objects. Instead it should send correct CustomResource name, like:
{"kind":"SelfSubjectAccessReview","apiVersion":"authorization.k8s.io/v1","spec":{"resourceAttributes":{"verb":"update","name":"my-servicemonitor","namespace":"my-namespace","group":"monitoring.coreos.com","version":"v1","resource":"servicemonitors"}}}This request returns correct response:
"status": { "allowed": true, "reason": "RBAC: allowed by RoleBinding \"namespace-admin" of ClusterRole \"admin\" to ServiceAccount \"namespace-admin\"" }