Skip to content

[OCPBUGS-62642] Fix amIAdmin function to correctly check admin group membership#417

Closed
dustman9000 wants to merge 1 commit intoopenshift:masterfrom
dustman9000:allow-endpoint-controller-namespace-access
Closed

[OCPBUGS-62642] Fix amIAdmin function to correctly check admin group membership#417
dustman9000 wants to merge 1 commit intoopenshift:masterfrom
dustman9000:allow-endpoint-controller-namespace-access

Conversation

@dustman9000
Copy link
Copy Markdown
Member

@dustman9000 dustman9000 commented Oct 1, 2025
edited by openshift-ci Bot
Loading

Allow osd-admin user with cluster-admins group for e2e tests

Add exemption for the osd-admin user when it has the cluster-admins group
to support OpenShift CI e2e tests. This is a targeted exemption that requires
both the specific username AND group membership.

Security rationale:

  • In production OSD clusters, customers cannot arbitrarily assign users to
    the cluster-admins group as it's managed by the OAuth infrastructure
  • The exemption only applies when BOTH conditions are met: username is
    osd-admin AND user is in cluster-admins group
  • This is more restrictive than the previous blanket cluster-admins group
    exemption that was removed in SREP-1565

This fixes CI test failures in openshift/origin endpoint admission tests
where the osd-admin user needs to create privileged namespaces like
kube-system for testing purposes.

@openshift-merge-robot openshift-merge-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Oct 1, 2025
@openshift-ci openshift-ci Bot requested review from clcollins and feichashao October 1, 2025 17:27
@openshift-ci
Copy link
Copy Markdown
Contributor

openshift-ci Bot commented Oct 1, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dustman9000

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci Bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Oct 1, 2025
@dustman9000
Allow osd-admin user with cluster-admins group for e2e tests
59ae773 
Add exemption for the osd-admin user when it has the cluster-admins group
to support OpenShift CI e2e tests. This is a targeted exemption that requires
both the specific username AND group membership.

Security rationale:
- In production OSD clusters, customers cannot arbitrarily assign users to
  the cluster-admins group as it's managed by the OAuth infrastructure
- The exemption only applies when BOTH conditions are met: username is
  osd-admin AND user is in cluster-admins group
- This is more restrictive than the previous blanket cluster-admins group
  exemption that was removed in SREP-1565

This fixes CI test failures in openshift/origin endpoint admission tests
where the osd-admin user needs to create privileged namespaces like
kube-system for testing purposes.
@dustman9000 dustman9000 force-pushed the allow-endpoint-controller-namespace-access branch from b5ea847 to 59ae773 Compare October 1, 2025 17:57
@openshift-merge-robot openshift-merge-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Oct 1, 2025
@dustman9000
Copy link
Copy Markdown
Member Author

dustman9000 commented Oct 1, 2025

/hold

@openshift-ci openshift-ci Bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Oct 1, 2025
@openshift-ci
Copy link
Copy Markdown
Contributor

openshift-ci Bot commented Oct 1, 2025

@dustman9000: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@openshift-bot
Copy link
Copy Markdown

openshift-bot commented Dec 31, 2025

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

@openshift-ci openshift-ci Bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Dec 31, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@clcollins clcollins Awaiting requested review from clcollins

@feichashao feichashao Awaiting requested review from feichashao

Assignees

No one assigned

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@dustman9000 @openshift-bot @openshift-merge-robot