[3.6] Verify docker access via non grouped resources #16465
Conversation
In the transition between 3.5 and 3.6, we should target the non grouped resources when performing SARs to confirm image access via docker. This is because a 3.5 master will only allow a SAR against the non grouped resources. Once a 3.5 master has been updated to 3.6, it will still only allow a SAR against the non grouped resources. After cluster role reconciliation is complete and the policy cache is up to date, then the upgraded masters will honor SARs against the group resources. Waiting for this to occur is not a viable solution since it breaks cluster functionality during a high availability upgrade. Signed-off-by: Monis Khan <mkhan@redhat.com> Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1493213
openshift-ci-robot
added
the
size/XS
enj
changed the title
|
This error message from #16380 (comment) seems relevant:
@rezie you mentioned that you reconciled after the upgrade. Can you provide specifics on how you did this and the YAML for the |
|
Sure - the commands I ran were taken directly from the manual upgrade guide. The current |
|
@rezie can you also post the YAML for:
|
|
Yup: |
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: enj, simo5 Assign the PR to them by writing The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
|
do we deploy 3.6 registries before completing the 3.6 API upgrade and reconciliation? |
|
@rezie an apiVersion: v1
kind: Role
metadata:
name: shared-resource-viewer
namespace: openshift
rules:
- apiGroups:
- ""
- template.openshift.io
attributeRestrictions: null
resources:
- templates
verbs:
- get
- list
- watch
- apiGroups:
- ""
- image.openshift.io
attributeRestrictions: null
resources:
- imagestreamimages
- imagestreams
- imagestreamtags
verbs:
- get
- list
- watch
- apiGroups:
- ""
- image.openshift.io
attributeRestrictions: null
resources:
- imagestreams/layers
verbs:
- getshould "reconcile" this role for you. We will look into a more permanent fix. The diff between this role and the one your cluster has: https://www.diffchecker.com/6qAPbKUQ |
|
@enj Thanks! I'll let you know if we still run into this problem after using that configuration. |
|
/hold I think we can avoid this by adding some post upgrade tasks to ansible from 3.5 to 3.6 along with some docs. 3.7 already handles RBAC role reconciliation via a post start hook. |
openshift-ci-robot
added
the
do-not-merge/hold
|
Closing in favor of openshift/openshift-ansible#5617 |
In the transition between 3.5 and 3.6, we should target the non grouped resources when performing SARs to confirm image access via docker. This is because a 3.5 master will only allow a SAR against the non grouped resources. Once a 3.5 master has been updated to 3.6, it will still only allow a SAR against the non grouped resources. After cluster role reconciliation is complete and the policy cache is up to date, then the upgraded masters will honor SARs against the group resources. Waiting for this to occur is not a viable solution since it breaks cluster functionality during a high availability upgrade.
Signed-off-by: Monis Khan mkhan@redhat.com
Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1493213
Fixes #16380
/assign @simo5 @tiran @legionus @mfojtik
@openshift/sig-security