-
Notifications
You must be signed in to change notification settings - Fork 591
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
KIC 2.0 CTRLMGR RBAC Roundup #1215
Comments
Spike timeStatus quoKubebuilder doesn't appear to have clear defaults on resources--it looks like everything is derived from markers we write. We currently impose defaults (or rather, only allow a single configuration throughout) through the templates in
and dumps them into a single ClusterRole, which we name in our Makefile target:
https://book.kubebuilder.io/reference/markers/rbac.html covers the Namespaced role generationPart of what we'd like to do is provide two variants of the RBAC rule set, one appropriate for the permissive default (cluster-wide) configuration and one appropriate for a restricted, per namespace configuration. It looks like Kubebuilder can get us partway there by adding namespaced copy of the existing tags:
There are some caveats:
Kustomization strategic merge example for end users will presumably look like:
Helm will use a for loop to iterate over a set of namespaces and generate a role for each. Restricting permission verbs by resourceIf we do not wish to apply the same set of permissions to all resources, as we do now, we need a new Providing the verb list for the main resource thus seems like the next step. Unsure if we want to be able to toggle status/finalizer permissions off, but I'd expect their verbs are consistent if they're present. Differences from existing v1 permissionsStock v1 permissionsThe existing v1 permissions are more limited, and unfortunately a bit hard to compare because of the way K8S RBAC groups things. Nevertheless:
Chart variantThe permissions we install with the chart actually differ further, though it looks like the main change is the addition of a Role that further locks down the leader ConfigMap to the controller namespace and limits updates to its name. Not really sure why we also have a namespace/pod/secret get permission (secret for the admission cert, I guess?). Additional permissions needed by v2It's not clear that v2 needs its additional verbs. I'm fairly certain we never create or update resources other than ConfigMaps and Events. We may not need all the new status permissions (e.g. Services have a use case if we can implement a map to the associated Kong resources, which we currently lack, whereas Endpoints we almost certainly don't need to update status for). I suppose we need the finalizer permissions, though I don't know enough detail about how we use those to say for sure. The generic approach to verbs appears to have just been a permissive kitchen sink approach to avoid the RBAC question initially, and we can probably revert to the set of permissions we had in v1 with some minor additions once we have an implementation that can discriminate properly. Other notes
|
Great writeup. Sounds like we need to drop the extra verbs at the very least... but perhaps we should be considering making upstream improvements to Kubebuilder to get the improvements for separate roles and bindings, and greater specificity we desire. As a course of action, I would be in favor of us taking this approach:
|
I don't think there's anything we actually need new from Kubebuilder--some of those points are just notes. We don't need multiple roles of the same type, and we already use kustomize to apply additional post-processing to the generated roles. We'd need to add new kustomize stuff, but that's entirely doable with what we have now. |
Alright, well, one annoyance: the Role and ClusterRole end up in the same file, and we won't normally apply the Role. We can use the second workflow from kubernetes-sigs/kustomize#1593 (comment) to separate them. |
resolved by #1457 |
The purpose of this issue is to ensure we review and restrict our RBAC permissions provided to the controller manager prior to the first KIC 2.0 alpha release as the
kubebuilder
defaults are too permissive.Acceptance Criteria:
The text was updated successfully, but these errors were encountered: