Command oc auth can-i does not work as expected with impersonation when user is member of a group

Solution Verified - Updated -

Issue

  • The oc auth can-i command doesn't work as expected when user is a member of a group.

  • The oc auth can-i command returns yes value for any users that are not even present in the cluster. Here, userx is not present in the cluster:

    $ oc auth can-i create configmap --as=userx --as-group=group1 --as-group=system:authenticated

  • The following command returns RBAC policy error when --as-group=system:authenticated is not added:

    $ oc auth can-i create configmap --as=userx --as-group=group1
Error from server (Forbidden): selfsubjectaccessreviews.authorization.k8s.io is forbidden: User "user1" cannot create selfsubjectaccessreviews.authorization.k8s.io at the cluster scope: no RBAC policy matched

Environment

  • Red Hat OpenShift Container Platform (RHOCP)
    • 3.11
    • 4
  • RBAC

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content