search

operator-framework / operator-lifecycle-manager

A management framework for extending Kubernetes with Operators
https://olm.operatorframework.io
Apache License 2.0
1.7k stars 542 forks source link

OLM allows edit cluster role users to create new resource #1587

Open xiangjingli opened 4 years ago

xiangjingli commented 4 years ago

Bug Report

After installing an operator, one edit cluster role is generated by OLM, where create verb is added. That allows users with the the edit role can create new resources.

What did you do?

  1. Install Multicluster Subscription Operator from operator hub in Openshift.
  2. check the edit cluster role is generated with the create verb 
    % oc get clusterrole applications.app.k8s.io-v1beta1-edit -o yaml                          
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
creationTimestamp: "2020-06-21T04:34:40Z"
labels:
olm.opgroup.permissions/aggregate-to-6c3bb1110d0b9f9c-edit: "true"
rbac.authorization.k8s.io/aggregate-to-edit: "true"
name: applications.app.k8s.io-v1beta1-edit
ownerReferences:
- apiVersion: apiextensions.k8s.io/v1beta1
blockOwnerDeletion: false
controller: false
kind: CustomResourceDefinition
name: applications.app.k8s.io
uid: 8e2952cd-71fc-4370-8d97-cd9c1f25d017
resourceVersion: "66882843"
selfLink: /apis/rbac.authorization.k8s.io/v1/clusterroles/applications.app.k8s.io-v1beta1-edit
uid: 0bbc53d5-dd5d-4a73-a1ac-05afe5d3e2ef
rules:
- apiGroups:
- app.k8s.io
resources:
- applications
verbs:
- create
- update
- patch
- delete

What did you expect to see?

It seems edit role user should not be allowed to create new resources. On the other hand, we noticed that the create permission is widely applied in all openshift edit roles e.g. system:openshift:aggregate-to-edit

Could someone clarify if it is by Openshift/OLM Design?

stale[bot] commented 4 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] commented 3 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] commented 3 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

jnpacker commented 3 years ago

This still seems to be a problem.

mikeshng commented 3 years ago

Hi @joelanford do you have any insight around this area? Thanks.