Open
Description
Bug Report
After installing an operator, one edit cluster role is generated by OLM, where create verb is added. That allows users with the the edit role can create new resources.
What did you do?
- Install
Multicluster Subscription Operatorfrom operator hub in Openshift. - check the edit cluster role is generated with the
createverb
% oc get clusterrole applications.app.k8s.io-v1beta1-edit -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
creationTimestamp: "2020-06-21T04:34:40Z"
labels:
olm.opgroup.permissions/aggregate-to-6c3bb1110d0b9f9c-edit: "true"
rbac.authorization.k8s.io/aggregate-to-edit: "true"
name: applications.app.k8s.io-v1beta1-edit
ownerReferences:
- apiVersion: apiextensions.k8s.io/v1beta1
blockOwnerDeletion: false
controller: false
kind: CustomResourceDefinition
name: applications.app.k8s.io
uid: 8e2952cd-71fc-4370-8d97-cd9c1f25d017
resourceVersion: "66882843"
selfLink: /apis/rbac.authorization.k8s.io/v1/clusterroles/applications.app.k8s.io-v1beta1-edit
uid: 0bbc53d5-dd5d-4a73-a1ac-05afe5d3e2ef
rules:
- apiGroups:
- app.k8s.io
resources:
- applications
verbs:
- create
- update
- patch
- delete
What did you expect to see?
It seems edit role user should not be allowed to create new resources. On the other hand, we noticed that the create permission is widely applied in all openshift edit roles e.g. system:openshift:aggregate-to-edit
Could someone clarify if it is by Openshift/OLM Design?