Implicit RBAC grants in OpenShift Container Platform
Issue
- When a user creates a
StatefulSet
with avolumeClaimTemplates
, he can provision aPersistentVolumeClaim
even if the user does not have the permission to create aPersistentVolumeClaim
object. Why is this? - Are there implicit grants for RBAC permissions for certain objects?
- As a user,
oc auth can-i create persistentvolumeclaims
returns "no", but the user can still createPersistentVolumeClaims
via aStatefulSet
- why is this?
Environment
- OpenShift Container Platform 4
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.