On ROSA, unable to list some objects with "dedicated-admin"

Solution Verified - Updated -

Environment

  • Amazon Web Services (AWS)
  • Red Hat OpenShift Service on AWS (ROSA)

Issue

  • On our Red Hat OpenShift Service on AWS (ROSA) cluster, members of the dedicated-admins (with the ClusterRole/dedicated-admins-cluster), some permissions are missing, for example:
    • list/get/watch for the egressfirewalls.k8s.ovn.org resource
    • list/get/watch for the deployments/rollbacksubresource

Resolution

  • Create a ClusterRole that uses the managed.openshift.io/aggregate-to-dedicated-admins: cluster label to grant these permissions:

    apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  labels:
    hive.openshift.io/managed: "false"
    managed.openshift.io/aggregate-to-dedicated-admins: cluster
  name: dedicated-admins-aggregate-custom
rules:
- apiGroups:
  - "apps"
  resources:
  - "deployments/rollback"
  verbs:
  - "get"
  - "list"
  - "watch"
- apiGroups:
  - "extensions"
  resources:
  - "deployments/rollback"
  verbs:
  - "get"
  - "list"
  - "watch"
- apiGroups:
  - "k8s.ovn.org"
  resources:
  - "egressfirewalls"
  - "egressips"
  - "egressqoses"
  verbs:
  - "get"
  - "list"
  - "watch"

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments