Specific Namespaces: unable to grant RBAC permission not currently held for resource "routes/custom-host"

Question

Specific Namespaces: unable to grant RBAC permission not currently held for resource "routes/custom-host"

wgordon17 opened this issue 4 years ago · comments

What happened:
Running oc apply -fhttps://raw.githubusercontent.com/tnozicka/openshift-acme/master/deploy/specific-namespaces/{role,serviceaccount,issuer-letsencrypt-live,deployment}.yaml in an OpenShift Dedicated cluster, leads to the following error

Error from server (Forbidden): error when creating "https://raw.githubusercontent.com/tnozicka/openshift-acme/master/deploy/specific-namespaces/role.yaml": roles.rbac.authorization.k8s.io "openshift-acme" is forbidden: user "wgordon17" (groups=["dedicated-admins" "system:authenticated:oauth" "system:authenticated"]) is attempting to grant RBAC permissions not currently held:
{APIGroups:["route.openshift.io"], Resources:["routes/custom-host"], Verbs:["update" "delete" "patch"]}

What you expected to happen:
I expect no error

How to reproduce it (as minimally and precisely as possible):
oc apply -fhttps://raw.githubusercontent.com/tnozicka/openshift-acme/master/deploy/specific-namespaces/{role,serviceaccount,issuer-letsencrypt-live,deployment}.yaml

Anything else we need to know?:
Removing this section from the role, appears to have let things work as expected (at least the pod isn't showing any error messages

- apiGroups:
  - "route.openshift.io"
  resources:
  - routes/custom-host
  verbs:
  - create
  - update
  - delete
  - patch

Environment:

OpenShift/Kubernetes version (use oc/kubectl version):

Client Version: version.Info{Major:"4", Minor:"1+", GitVersion:"v4.1.7", GitCommit:"205da2b4a", GitTreeState:"clean", BuildDate:"2019-07-17T04:22:20Z", GoVersion:"go1.11.5", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"16+", GitVersion:"v1.16.2", GitCommit:"4320e48", GitTreeState:"clean", BuildDate:"2020-01-21T19:50:59Z", GoVersion:"go1.12.12", Compiler:"gc", Platform:"linux/amd64"}

@tnozicka

Tomáš Nožička · Answer 1 · Fri Mar 27 2020 23:30:05 GMT+0800 (China Standard Time)

AFAIK you need custom-host for setting the hostname. I think OpenShift Online had this under Pro offering.

It was always the case https://github.com/tnozicka/openshift-acme/blob/v0.8.0/deploy/letsencrypt-live/single-namespace/role.yaml#L24

Without that permission you can't create a Route with a hostname.

Will Gordon · Answer 2 · Fri Mar 27 2020 23:40:29 GMT+0800 (China Standard Time)

Thank you @tnozicka, I just tested with the previous role (where it was create verb only), and it looks like that worked as expected.

Testing each verb, it turns out that only the create verb works for me. I suspect the other verbs require/expect cluster-admin level permissions.

Tomáš Nožička · Answer 3 · Sat Mar 28 2020 03:36:56 GMT+0800 (China Standard Time)

I don't see a reason at least update would need elevated perms exept a bug in OCP. Maybe the other ones are not existing which is what causes the auth error. (Cluster admins have *.) I think we use only create now, so I'll try updating the role.

Will Gordon · Answer 4 · Sat Mar 28 2020 03:40:04 GMT+0800 (China Standard Time)

Thanks! I can confirm that only having create is enough for openshift-acme to work it's magic. I just migrated all the individual deployments on my cluster to a single deployment watching multiple namespaces. Works like magic! 👍🏻