How to allow project admins to manage Egressfirewall resources in RHOCP4

Environment

• Red Hat OpenShift Container Platform 4.7
• OVNKubernetes

Issue

• Only cluster-admin users can manage Egressfirewall
• Project admin users must be able to manage their Egressfirewall

Resolution

• Create a file named Egressfirewall-aggregate-to-admin.yml with these contents:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
 creationTimestamp: null
 labels:
   rbac.authorization.k8s.io/aggregate-to-admin: "true"
 name: egressnetworkpolicy-aggregate-to-admin
 namespace: ""
rules:
- apiGroups:
  - k8s.ovn.org
  resources:
  - egressfirewalls
  verbs:
  - get
  - list
  - watch
  - update
  - patch
  - create
  - delete

• As a cluster-admin, run this command: oc create -f Egressfirewall-aggregate-to-admin.yml
• Now, every project admin can manage egress firewall policies on their project(s)

Root Cause

• By default, admin clusterrole does not include enough permissions to manage egressfirewall objects, although they are namespaced.
• If directly granted to an user, this clusterrole grants those permissions.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.