[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Special permissions needs for user to create route with host set?



I'm writing an operator that creates a route.  I generate the following JSON:

{"kind":"Route","apiVersion":"route.openshift.io/v1","id":"openunison-https-test-openunison-openunison","metadata":{"name":"secure-openunison-test-openunison","labels":{"application":"openunison-test-openunison"},"annotations":{"description":"Route for OpenUnison's https service."}},"spec":{"host":"testou.apps.ocp47.tremolo.dev","port":{"targetPort":"openunison-secure-test-openunison"},"to":{"kind":"Service","name":"openunison-test-openunison"},"tls":{"termination":"reencrypt","destinationCACertificate":"-----BEGIN CERTIFICATE-----\nMIIECjCCAvKgAwIBAgIGAWpBtYTeMA0GCSqGSIb3DQEBCwUAMIGPMQswCQYDVQQG\r\nEwJVUzERMA8GA1UECBMIVmlyZ2luaWExEzARBgNVBAcTCkFsZXhhbmRyaWExGTAX\r\nBgNVBAoTEFRyZW1vbG8gU2VjdXJpdHkxDDAKBgNVBAsTA2s4czEvMC0GA1UEAxMm\r\ndGVzdC1vcGVudW5pc29uLm91b3Auc3ZjLmNsdXN0ZXIubG9jYWwwHhcNMTkwNDIx\r\nMjEwMjU2WhcNMjkwNDE4MjEwMjU2WjCBjzELMAkGA1UEBhMCVVMxETAPBgNVBAgT\r\nCFZpcmdpbmlhMRMwEQYDVQQHEwpBbGV4YW5kcmlhMRkwFwYDVQQKExBUcmVtb2xv\r\nIFNlY3VyaXR5MQwwCgYDVQQLEwNrOHMxLzAtBgNVBAMTJnRlc3Qtb3BlbnVuaXNv\r\nbi5vdW9wLnN2Yy5jbHVzdGVyLmxvY2FsMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A\r\nMIIBCgKCAQEAtD7inyJs7ghpWVHzjYyKACU7wgVySFEztrua4TXh3b+u9Oavxt7c\r\nfDy3GpY24vgMdaGNtq3PINq1mc4drSbxv6a0A0JCy6fEUXdgTWIHeW1VUpSY9n6s\r\n3eg7yJq6B2wJtt09fow6fP/QkQ1pISfe6uhTlGsnBlKA/9Prco3ipktCtiy4uoJi\r\naoR+vmnpIxccN5xfMciIuQ29bT9JCPzXP87rHlaDP4HXlXx/De1cC9qBUT1lmDSl\r\nhHDxn2H/o2LgBrINA2L4qgM39xt/qeskRsd0ElqwuhuFsH7I2yIqReum5KDSriuF\r\nkWTEIqYRWPJR1MqciVk0ciDKGFzRgMT3IwIDAQABo2owaDAPBgNVHRMBAf8EBTAD\r\nAQH/MA4GA1UdDwEB/wQEAwICBDASBgNVHSUBAf8ECDAGBgRVHSUAMDEGA1UdEQQq\r\nMCiCJnRlc3Qtb3BlbnVuaXNvbi5vdW9wLnN2Yy5jbHVzdGVyLmxvY2FsMA0GCSqG\r\nSIb3DQEBCwUAA4IBAQBjOQcbkltm06C+sUqtW3jhKsEcvbg0JzT57QpXUmy/yOL2\r\n35KHlA4TBH17DCwH60l/2jLg6ECBFAQO5tgA6hEkkPk2+y3PZXYuIztangTsifv2\r\n0jSUTqKQCUQwtqgwqUaCr/OjI/bYs56d/ENBxbvJBCPeJiZ1By6N+q0FOY9mJxf0\r\noB+z2x9tgKRHSi3l8enQGgMqIS9B65UW9jigqX+HbIOIwq2GnXuwO5W6FOmgq9/I\r\n9YfftyOTK0U7gkdw8DibDXtrHslnXWD9CmNwUwIAXTleYHAS1iCHFYhitAFCNH4v\r\n+O8Al6m4/d28Y52f9gIuVCYS5m1RpTAsVcDravpX\r\n-----END CERTIFICATE-----\n"}}}

{"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"Route.route.openshift.io \"secure-openunison-test-openunison\" is invalid: spec.host: Forbidden: you do not have permission to set the host field of the route","reason":"Invalid","details":{"name":"secure-openunison-test-openunison","group":"route.openshift.io","kind":"Route","causes":[{"reason":"FieldValueForbidden","message":"Forbidden: you do not have permission to set the host field of the route","field":"spec.host"}]},"code":422}

but when I post the exact same json as a cluster admin, it gets created no problem.  I found some references to openshift online not allowing custom domains but thats it.  Is there some kind of setting that needs to be put on the router?

Thanks
Marc



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]