Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

KKP Admin not able to manage RBAC assignment and Project assignment #6753

Closed
toschneck opened this issue Jul 12, 2024 · 7 comments · Fixed by #6754
Closed

KKP Admin not able to manage RBAC assignment and Project assignment #6753

toschneck opened this issue Jul 12, 2024 · 7 comments · Fixed by #6754
Assignees
@ahmadhamzh
Labels
customer-request kind/bug Categorizes issue or PR as related to a bug. kind/feature Categorizes issue or PR as related to a new feature. sig/api Denotes a PR or issue as being assigned to SIG API. sig/ui Denotes a PR or issue as being assigned to SIG UI.
Milestone
KKP 2.26

Comments

@toschneck
Copy link
Member

What happened?

As KKP Admin, I would like to controll every setting of any user cluster, even if I'm not Part of the project.
Currently I can't add a new RBAC Binding, when my account doesn't belong to the Project, even if I'm KKP super admin:
Cluster 'dev-k8s01-nun' in Project 'sinapse-dev' 2024-07-12 11-07-50

If try to workaround and add my-self to the project as admin, I can't do it, as this is not allowed (what is not correct in my opinion)
User Settings in Project 'sinapse-dev' 2024-07-12 11-11-38

Expected behavior

As KKP Admin I should have full rights on the platform and allowed to do:

  • Assign my-self to a project
  • Add or Modify Any RBAC assignment in any cluster

How to reproduce the issue?

Login as KKP Admin, choose an Project where you are not Member of it and try

  • add yourself
  • do an RBAC binding assignment

How is your environment configured?

  • KKP version: 2.25.6
  • Shared or separate master/seed clusters?:
    combined or separate: same behaviour

Provide your KKP manifest here (if applicable)

See https://github.com/kubermatic/demo-infra/tree/main/kubermatic

# paste manifest here

What cloud provider are you running on?

doesn't matter

What operating system are you running in your user cluster?

doesn't matter

Additional information
@toschneck toschneck added the kind/bug Categorizes issue or PR as related to a bug. label Jul 12, 2024
@toschneck
Copy link
Member Author

/label customer-request

@judge-red
Copy link

I've brought this up as a bug with Kubermatic almost 1.5 years ago, but unfortunately the result of internal discussions communicated to me was "KKP Admins should be only allowed for displaying all resources and interactions like editing/creating/removing should not be possible". They acknowledged that this isn't currently true either, as KKP admins can take several CRUD actions in projects. Thus this was created: kubermatic/docs#1362

I still disagree with that view, thus I would very much like to see this issue here adressed instead.

But the problem is more complicated, here's another example:

  • if I'm KKP admin but have NO role in the project, I CAN add a service account to the project
  • if I'm a KKP admin AND a project editor/viewer (i.e. a member but not owner) in the project, I can NOT add a service account to the project (which requires owner privileges)
    ... imho KKP admin should weight more than a project role.

In general, the KKP admin privileges on the dashboard feel random and often wrong.

@csengerszabo
Copy link
Contributor

/label sig/cluster-management
/label sig/api
/label sig/ui

@kubermatic-bot kubermatic-bot added sig/cluster-management Denotes a PR or issue as being assigned to SIG Cluster Management. sig/api Denotes a PR or issue as being assigned to SIG API. sig/ui Denotes a PR or issue as being assigned to SIG UI. labels Jul 17, 2024
@csengerszabo
Copy link
Contributor

/kind feature

@kubermatic-bot kubermatic-bot added the kind/feature Categorizes issue or PR as related to a new feature. label Jul 17, 2024
@csengerszabo
Copy link
Contributor

/remove-label sig/cluster-management

@kubermatic-bot kubermatic-bot removed the sig/cluster-management Denotes a PR or issue as being assigned to SIG Cluster Management. label Jul 23, 2024
@csengerszabo
Copy link
Contributor

/assign @ahmadhamzh

@ahmadhamzh
Copy link
Contributor

/transfer-issue dashboard

@kubermatic-bot kubermatic-bot transferred this issue from kubermatic/kubermatic Jul 30, 2024
@ahmadhamzh ahmadhamzh mentioned this issue Jul 30, 2024
Merged
@ahmadhamzh ahmadhamzh added this to the KKP 2.26 milestone Jul 30, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ahmadhamzh ahmadhamzh

Labels
customer-request kind/bug Categorizes issue or PR as related to a bug. kind/feature Categorizes issue or PR as related to a new feature. sig/api Denotes a PR or issue as being assigned to SIG API. sig/ui Denotes a PR or issue as being assigned to SIG UI.
Projects
None yet
Milestone
KKP 2.26
Development

Successfully merging a pull request may close this issue.

Give admin owner role to all projects ahmadhamzh/dashboard
5 participants
@judge-red @toschneck @csengerszabo @kubermatic-bot @ahmadhamzh