Generated Role.yaml and RoleBinding.yaml don't work without cluster-admin privileges for namespace local deployments of the Ansible Operator (and probably other's as well)

[wkulhanek]

Bug Report

What did you do?
Trying to follow the use-case for developers (and not cluster-admins) to deploy operators into a development namespace. Developers can create their own projects where they are (local project) admins.

oc new-project ansible-operator
oc get rolebinding
NAME                    ROLE                    USERS                 GROUPS                           SERVICE ACCOUNTS   SUBJECTS
admin                   /admin                  wkulhane-redhat.com

Naturally creating the CRD has to be done as a cluster-admin. But I expect to be able to create (project local) Roles and Role Bindings as a local project admin. This does not work at the moment.

What did you expect to see?

oc create -f deploy/role.yaml
Role memcached-operator created
oc create -f deploy/rolebinding.yaml
RoleBinding memcached-operator created

What did you see instead? Under which circumstances?

oc create -f deploy/role.yaml
Error from server (Forbidden): error when creating "deploy/role.yaml": roles.rbac.authorization.k8s.io "memcached-operator" is forbidden: attempt to grant extra privileges: [{[*] [] [pods] [] []} {[*] [] [services] [] []} {[*] [] [endpoints] [] []} {[*] [] [persistentvolumeclaims] [] []} {[*] [] [events] [] []} {[*] [] [configmaps] [] []} {[*] [] [secrets] [] []} {[*] [apps] [deployments] [] []} {[*] [apps] [daemonsets] [] []} {[*] [apps] [replicasets] [] []} {[*] [apps] [statefulsets] [] []} {[get] [monitoring.coreos.com] [servicemonitors] [] []} {[create] [monitoring.coreos.com] [servicemonitors] [] []} {[*] [cache.example.com] [*] [] []}] user=&{wkulhane-redhat.com 3371479c-db8f-11e8-a57f-06322a6db0d8 [system:authenticated:oauth system:authenticated] map[scopes.authorization.openshift.io:[user:full]]} ownerrules=[{[get] [ user.openshift.io] [users] [~] []} {[list] [ project.openshift.io] [projectrequests] [] []} {[get list] [ authorization.openshift.io] [clusterroles] [] []} {[get list watch] [rbac.authorization.k8s.io] [clusterroles] [] []} {[get list] [storage.k8s.io] [storageclasses] [] []} {[list watch] [ project.openshift.io] [projects] [] []} {[create] [ authorization.openshift.io] [selfsubjectrulesreviews] [] []} {[create] [authorization.k8s.io] [selfsubjectaccessreviews] [] []} {[get] [] [] [] [/healthz /healthz/*]} {[get] [] [] [] [/version /version/* /api /api/* /apis /apis/* /oapi /oapi/* /openapi/v2 /swaggerapi /swaggerapi/* /swagger.json /swagger-2.0.0.pb-v1 /osapi /osapi/ /.well-known /.well-known/* /]} {[create] [ authorization.openshift.io] [selfsubjectrulesreviews] [] []} {[create] [authorization.k8s.io] [selfsubjectaccessreviews] [] []} {[create] [ project.openshift.io] [projectrequests] [] []} {[list watch get] [servicecatalog.k8s.io] [clusterserviceclasses clusterserviceplans] [] []} {[create] [authorization.k8s.io] [selfsubjectaccessreviews selfsubjectrulesreviews] [] []} {[create] [ build.openshift.io] [builds/docker builds/optimizeddocker] [] []} {[create] [ build.openshift.io] [builds/jenkinspipeline] [] []} {[create] [ build.openshift.io] [builds/source] [] []} {[get] [] [] [] [/api /api/* /apis /apis/* /healthz /openapi /openapi/* /swagger-2.0.0.pb-v1 /swagger.json /swaggerapi /swaggerapi/* /version /version/]} {[delete] [ oauth.openshift.io] [oauthaccesstokens oauthauthorizetokens] [] []} {[get] [] [] [] [/version /version/* /api /api/* /apis /apis/* /oapi /oapi/* /openapi/v2 /swaggerapi /swaggerapi/* /swagger.json /swagger-2.0.0.pb-v1 /osapi /osapi/ /.well-known /.well-known/* /]} {[impersonate] [authentication.k8s.io] [userextras/scopes.authorization.openshift.io] [] []} {[create get] [ build.openshift.io] [buildconfigs/webhooks] [] []} {[get list watch create update patch delete] [operators.coreos.com] [clusterserviceversions catalogsources installplans subscriptions] [] []} {[create] [automationbroker.io] [access] [] []} {[create delete deletecollection get list patch update watch] [] [pods pods/attach pods/exec pods/portforward pods/proxy] [] []} {[create delete deletecollection get list patch update watch] [] [configmaps endpoints persistentvolumeclaims replicationcontrollers replicationcontrollers/scale secrets serviceaccounts services services/proxy] [] []} {[get list watch] [] [bindings events limitranges namespaces/status pods/log pods/status replicationcontrollers/status resourcequotas resourcequotas/status] [] []} {[get list watch] [] [namespaces] [] []} {[impersonate] [] [serviceaccounts] [] []} {[create delete deletecollection get list patch update watch] [apps] [daemonsets deployments deployments/rollback deployments/scale replicasets replicasets/scale statefulsets statefulsets/scale] [] []} {[create delete deletecollection get list patch update watch] [autoscaling] [horizontalpodautoscalers] [] []} {[create delete deletecollection get list patch update watch] [batch] [cronjobs jobs] [] []} {[create delete deletecollection get list patch update watch] [extensions] [daemonsets deployments deployments/rollback deployments/scale ingresses networkpolicies replicasets replicasets/scale replicationcontrollers/scale] [] []} {[create delete deletecollection get list patch update watch] [policy] [poddisruptionbudgets] [] []} {[create delete deletecollection get list patch update watch] [networking.k8s.io] [networkpolicies] [] []} {[create] [authorization.k8s.io] [localsubjectaccessreviews] [] []} {[create delete deletecollection get list patch update watch] [rbac.authorization.k8s.io] [rolebindings roles] [] []} {[create delete deletecollection get list patch update watch] [ authorization.openshift.io] [rolebindings roles] [] []} {[create] [ authorization.openshift.io] [localresourceaccessreviews localsubjectaccessreviews subjectrulesreviews] [] []} {[create] [ security.openshift.io] [podsecuritypolicyreviews podsecuritypolicyselfsubjectreviews podsecuritypolicysubjectreviews] [] []} {[get list watch] [ authorization.openshift.io] [rolebindingrestrictions] [] []} {[create delete deletecollection get list patch update watch] [ build.openshift.io] [buildconfigs buildconfigs/webhooks builds] [] []} {[get list watch] [ build.openshift.io] [builds/log] [] []} {[create] [ build.openshift.io] [buildconfigs/instantiate buildconfigs/instantiatebinary builds/clone] [] []} {[update] [ build.openshift.io] [builds/details] [] []} {[admin edit view] [build.openshift.io] [jenkins] [] []} {[create delete deletecollection get list patch update watch] [ apps.openshift.io] [deploymentconfigs deploymentconfigs/scale] [] []} {[create] [ apps.openshift.io] [deploymentconfigrollbacks deploymentconfigs/instantiate deploymentconfigs/rollback] [] []} {[get list watch] [ apps.openshift.io] [deploymentconfigs/log deploymentconfigs/status] [] []} {[create delete deletecollection get list patch update watch] [ image.openshift.io] [imagestreamimages imagestreammappings imagestreams imagestreams/secrets imagestreamtags] [] []} {[get list watch] [ image.openshift.io] [imagestreams/status] [] []} {[get update] [ image.openshift.io] [imagestreams/layers] [] []} {[create] [ image.openshift.io] [imagestreamimports] [] []} {[delete get patch update] [ project.openshift.io] [projects] [] []} {[get list watch] [ quota.openshift.io] [appliedclusterresourcequotas] [] []} {[create delete deletecollection get list patch update watch] [ route.openshift.io] [routes] [] []} {[create] [ route.openshift.io] [routes/custom-host] [] []} {[get list watch] [ route.openshift.io] [routes/status] [] []} {[update] [ route.openshift.io] [routes/status] [] []} {[create delete deletecollection get list patch update watch] [ template.openshift.io] [processedtemplates templateconfigs templateinstances templates] [] []} {[create delete deletecollection get list patch update watch] [extensions networking.k8s.io] [networkpolicies] [] []} {[create delete deletecollection get list patch update watch] [ build.openshift.io] [buildlogs] [] []} {[get list watch] [] [resourcequotausages] [] []} {[create] [ authorization.openshift.io] [resourceaccessreviews subjectaccessreviews] [] []} {[create update delete get list watch patch] [servicecatalog.k8s.io] [servicebrokers serviceclasses serviceplans serviceinstances servicebindings] [] []} {[create update delete get list watch] [settings.k8s.io] [podpresets] [] []}] ruleResolutionErrors=[]

Same for rolebinding.yaml

Environment

• operator-sdk version:
  master as of 10/30/2018

  Insert operator-sdk release or Git SHA here. If you have paste the Gopkg.lock operator-sdk information here.

• Kubernetes version information:
  OpenShift Container Platform 3.11.16

  Insert output of kubectl version here
  Client Version: version.Info{Major:"1", Minor:"11+", GitVersion:"v1.11.0+d4cacc0", GitCommit:"d4cacc0", GitTreeState:"clean", BuildDate:"2018-10-10T16:38:01Z", GoVersion:"go1.10.3", Compiler:"gc", Platform:"linux/amd64"}
  Server Version: version.Info{Major:"1", Minor:"11+", GitVersion:"v1.11.0+d4cacc0", GitCommit:"d4cacc0", GitTreeState:"clean", BuildDate:"2018-09-26T12:30:09Z", GoVersion:"go1.10.2", Compiler:"gc", Platform:"linux/amd64"}

oc version:
oc v3.11.0+0cbc58b
kubernetes v1.11.0+d4cacc0
features: Basic-Auth GSSAPI Kerberos SPNEGO

Server https://master.wk311.example.opentlc.com:443
openshift v3.11.16
kubernetes v1.11.0+d4cacc0

• Kubernetes cluster kind: OpenShift Container Platform 3.11.16

• Are you writing your operator in ansible or go?
  Ansible

@shawn-hurley As requested. :-) Let me know if you need a live cluster to test.

[shawn-hurley]

@wkulhanek I was able to test anbd reproduce on my cluster. I see the same output thanks for the bug!

I think this is because openshift's admin role does not use the * selector in its rules definition for the verbs, instead it lists them. I believe we may need to list our verbs in the scaffold. I was also able to reproduce with a golang operator.

Note: this is only a problem for a user with admin rights in their namespace, a cluster admin does not have this problem.

[openshift-bot]

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

[shawn-hurley]

/remove-lifecycle stale