Skip to content
This repository has been archived by the owner on Mar 16, 2024. It is now read-only.

IRA - Permission denied error messages have serviceName set to image name. #2234

Closed
sangee2004 opened this issue Oct 10, 2023 · 2 comments
Closed

IRA - Permission denied error messages have serviceName set to image name. #2234

sangee2004 opened this issue Oct 10, 2023 · 2 comments
Assignees
@iwilltry42
Labels
kind/bug Something isn't working

Comments

@sangee2004
Copy link
Contributor

acorn version - v0.9.0-rc1-20-g1fc37ec2+1fc37ec2

Steps to reproduce the problem:

  1. Install acorn with IRA feature on - acorn install --features image-role-authorizations=true
  2. Create following Role + IRA
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: acorn:system:cluster-admin
rules:
- apiGroups:
  - 'foo*'
  resources:
  - '*'
  verbs: ["*"]
---
apiVersion: admin.acorn.io/v1
kind: ImageRoleAuthorization
metadata:
  name: image-role-authz-superadmintest
  namespace: acorn
spec:
  imageSelector:
    namePatterns:
      - "**"
  roles:
    scopes:
      - cluster
    roleRefs:
      - name: acorn:system:cluster-admin
        kind: ClusterRole
  1. Deploy app using the following Acornfile
containers: web: {
    image: "nginx"
    permissions: {
		// These are permissions that will only be granted for this container in its namespace.
		rules: [
      	  {
            verbs: ["*"],
        	apiGroups: ["test.bar.com"],
            resources: ["*"]
     	   },
      	  {
            verbs: ["*"],
        	apiGroups: ["foo1.bar.com"],
            resources: ["*"]
}
         ]
}
}

App deployment fails which is as expected:

ss                                   25s ago                cannot run new image due to denied permissions: rules needed: [{"serviceName":"84750647674e0d2cfbfefec2c33814af37e1e56d34da3c568a49b4bfa3a728f6","rules":[{"verbs":["*"],"apiGroups":["test.bar.com"],"resources":["*"]}]}]

Notice that the error message has serviceName which is set to image id.

Expected Behavior:
Error message should have serviceName which is set the container name which is web in this case.
@sangee2004 sangee2004 added the kind/bug Something isn't working label Oct 10, 2023
@sangee2004 sangee2004 mentioned this issue Oct 12, 2023
Closed
2 tasks
@iwilltry42
Copy link
Contributor

This should've been fixed by #2226

@sangee2004
Copy link
Contributor Author

Tested using - acorn version v0.9.1-16-g89212fea+89212fea

Able to see the serviceName set to container name as expected.

hello2                                                                   38s ago                                                         cannot run new image due to denied permissions: rules needed: [{"serviceName":"web","rules":[{"verbs":["*"],"apiGroups":["test.bar.com"],"resources":["*"],"scopes":["project"]}]}]

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@iwilltry42 iwilltry42

Labels
kind/bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@iwilltry42 @sangee2004