Open ibrokethecloud opened 1 year ago
/backport 2023-Q2-v2.7x test
SURE-6009
I have attempted multiple ways to reproduce this bug with no success.
@ibrokethecloud , please let me know if I am not following the steps correctly, but here is what I do:
With my test user jono-test
that has the role Cluster Member
for my harvester cluster I attempt to get pcidevices and see I don't have permission:
I create a cluster role that inherits from Cluster Member
that has all the verbs for *
Resource in API Group devices.harvesterhci.io
I then add my test user (which has no other permissions) to my harvester cluster with the Member Role of pcidevices
Note: My user is a User-Base
k get pcidevices
and am successful
Some other things I have attempted that were all successful and behaved as expected
Cluster Member
*
Some information that could help:
kubectl get roleTemplate <role name> -o yaml
)what is the version of rancher being used? I can share the details of my environment.
The rancher version is v2.7.4 and harvester is v1.1.2
The reason for no error was the lack of actual pcidevice objects being created in the harvester cluster.
I created some pcidevice objects and now the error is re-producible in the environment.
I was able to create the error temporarily. However, as soon as I added the following role to a user: I was no longer able to recreate the error. Every role I attempted to add afterwards would successfully get propagated to the harvester cluster (including the existing role that had previously given an error)
I'm going through the logs to try and identify what happened, but this may function as a temporary workaround? Admittedly I can only get it to happen once since the error is gone now, so I'm not sure how consistent this may be.
moving teams to harvester cc @rebeccazzzz
@rebeccazzzz - I haven't seen or heard any movement on this for v2.9.0 or v2.9.1. I am going to move it to v2.9-Next2, please let me know if you have a corresponding Harvester issue and maybe we can close this one?
Rancher Server Setup
Information about the Cluster
A custom role created in rancher is not propagated to managed harvester clusters.
For example in harvester we have additional cluster scoped crds: pcidevices.devices.harvesterhci.io
A custom role created for pcidevices, doesn't get propagated to downstream harvester cluster.
If same role is assigned to a cluster member on a non harvester cluster, like a k3s cluster, the role is propagated correctly.
To Reproduce
Create a custom cluster scoped role on rancher. In this case the role pcidevices provides the following access:
This role is assigned to a user on two clusters:
k3s cluster assignment:
harvester cluster assignment:
Result When logged in as the test user, I can query pcidevices on the k3s cluster just fine:
However on the harvester cluster this fails:
If i query both downstream clusters using my admin credentials I can see the role
rt-x5xpg
has been created correctly on the downstream k3s cluster but not on the harvester cluster.k3s cluster role query:
harvester cluster role query:
Expected Result
Expected role to be propagated to downstream harvester cluster as well.
Screenshots
Additional context