Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Influx of roles w/o systemOnly annotation #14411

Closed
benjaminapetersen opened this issue May 30, 2017 · 3 comments
Closed

Influx of roles w/o systemOnly annotation #14411

benjaminapetersen opened this issue May 30, 2017 · 3 comments
Assignees
@benjaminapetersen @enj
Labels
component/auth kind/bug Categorizes issue or PR as related to a bug. priority/P1
Milestone
3.6.0

Comments

@benjaminapetersen
Copy link
Contributor

There is a sudden influx of roles coming back from the API. We believe it is due to kubernetes imports. Previously ~ 8 roles made it through our systemOnly filter. At the moment I'm seeing 53 (with 101 total roles).

Filtered:

["admin","basic-user","edit","system:auth-delegator","system:basic-user","system:build-controller","system:certificate-signing-controller","system:controller:attachdetach-controller","system:controller:certificate-controller","system:controller:cronjob-controller","system:controller:daemon-set-controller","system:controller:deployment-controller","system:controller:disruption-controller","system:controller:endpoint-controller","system:controller:generic-garbage-collector","system:controller:horizontal-pod-autoscaler","system:controller:job-controller","system:controller:namespace-controller","system:controller:node-controller","system:controller:persistent-volume-binder","system:controller:pod-garbage-collector","system:controller:replicaset-controller","system:controller:replication-controller","system:controller:resourcequota-controller","system:controller:route-controller","system:controller:service-account-controller","system:controller:service-controller","system:controller:statefulset-controller","system:controller:ttl-controller","system:daemonset-controller","system:deployer","system:deployment-controller","system:deploymentconfig-controller","system:disruption-controller","system:endpoint-controller","system:garbage-collector-controller","system:gc-controller","system:heapster","system:hpa-controller","system:image-builder","system:image-puller","system:image-pusher","system:job-controller","system:kube-aggregator","system:kube-controller-manager","system:kube-dns","system:kube-scheduler","system:namespace-controller","system:node-problem-detector","system:replicaset-controller","system:replication-controller","system:statefulset-controller","view"]

Unfiltered:

["admin","basic-user","cluster-admin","cluster-debugger","cluster-reader","cluster-status","edit","registry-admin","registry-editor","registry-viewer","self-access-reviewer","self-provisioner","storage-admin","sudoer","system:auth-delegator","system:basic-user","system:build-controller","system:build-strategy-custom","system:build-strategy-docker","system:build-strategy-jenkinspipeline","system:build-strategy-source","system:certificate-signing-controller","system:controller:attachdetach-controller","system:controller:certificate-controller","system:controller:cronjob-controller","system:controller:daemon-set-controller","system:controller:deployment-controller","system:controller:disruption-controller","system:controller:endpoint-controller","system:controller:generic-garbage-collector","system:controller:horizontal-pod-autoscaler","system:controller:job-controller","system:controller:namespace-controller","system:controller:node-controller","system:controller:persistent-volume-binder","system:controller:pod-garbage-collector","system:controller:replicaset-controller","system:controller:replication-controller","system:controller:resourcequota-controller","system:controller:route-controller","system:controller:service-account-controller","system:controller:service-controller","system:controller:statefulset-controller","system:controller:ttl-controller","system:daemonset-controller","system:deployer","system:deployment-controller","system:deploymentconfig-controller","system:discovery","system:disruption-controller","system:endpoint-controller","system:garbage-collector-controller","system:gc-controller","system:heapster","system:hpa-controller","system:image-auditor","system:image-builder","system:image-pruner","system:image-puller","system:image-pusher","system:image-signer","system:imagetrigger-controller","system:job-controller","system:kube-aggregator","system:kube-controller-manager","system:kube-dns","system:kube-scheduler","system:master","system:namespace-controller","system:node","system:node-admin","system:node-bootstrapper","system:node-problem-detector","system:node-proxier","system:node-reader","system:oauth-token-deleter","system:openshift:controller:build-controller","system:openshift:controller:deployer-controller","system:openshift:controller:deployment-trigger-controller","system:openshift:controller:deploymentconfig-controller","system:openshift:controller:template-instance-controller","system:openshift:template-service-broker","system:openshift:templateservicebroker-client","system:persistent-volume-provisioner","system:pv-attach-detach-controller","system:pv-binder-controller","system:pv-provisioner-controller","system:pv-recycler-controller","system:registry","system:replicaset-controller","system:replication-controller","system:router","system:sdn-manager","system:sdn-reader","system:service-ingress-ip-controller","system:service-load-balancer-controller","system:service-serving-cert-controller","system:statefulset-controller","system:unidling-controller","system:webhook","view"]
Version

oc v3.6.0-alpha.1+a1dffba-860-dirty
kubernetes v1.6.1+5115d708d7
features: Basic-Auth

Server https://127.0.0.1:8443
openshift v3.6.0-alpha.1+3ecdeba-864
kubernetes v1.6.1+5115d708d7

bpeterse at dhcp129-188 in ~/

Steps To Reproduce

In web console, navigate to membership page, click edit membership, use any of the select boxes under the Add another role heading. Toggle the show hidden roles checkbox.

Current Result

53 filtered roles, 101 total roles

Expected Result

8 filtered roles, 101 total roles

@enj @jwforres
@benjaminapetersen benjaminapetersen changed the title Influx of roles Influx of roles w/o systemOnly annotation May 30, 2017
@benjaminapetersen
Copy link
Contributor Author

Original annotation PR: #11328

@jwforres jwforres added component/auth kind/bug Categorizes issue or PR as related to a bug. priority/P1 labels May 30, 2017
@jwforres
Copy link
Member

considering this a P1 because of the end user impact in the console

@liggitt
Copy link
Contributor

liggitt commented May 31, 2017

@enj I would add the system-only annotation to all the system: roles we pull in from kube by default

@liggitt liggitt added this to the 3.6.0 milestone May 31, 2017
@benjaminapetersen benjaminapetersen mentioned this issue Jun 7, 2017
Merged
This was referenced Jul 17, 2017
Closed
Merged
@benjaminapetersen benjaminapetersen mentioned this issue Oct 30, 2017
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@benjaminapetersen benjaminapetersen

@enj enj

Labels
component/auth kind/bug Categorizes issue or PR as related to a bug. priority/P1
Projects
None yet
Milestone
3.6.0
Development

No branches or pull requests
4 participants
@benjaminapetersen @liggitt @jwforres @enj