Split controller RBAC into cluster-wide and tenant roles #2346
Conversation
googlebot
added
the
cla: yes
tekton-robot
added
the
size/L
|
Good catch! This PR was branched from the webhook one. I'll rebase on top of master now that it's merged. Also, good call on the doc, I'll add some supporting information. |
The controller currently operates with a single ClusterRole that spans a very broad set of access permissions. In multi-tenant scenarios this kind of RBAC configuration can be quite dangerous. In order to better support potential multi-tenant configurations this PR splits the roles that the controller receives into two. This PR does not actually change the level of access afforded to the controller. Instead, the roles are split but remain cluster-scoped by default. There should be no noticeable change in behaviour from the existing RBAC configuration in master. If a team wanted to start running a multi-tenant service they would be able to bind tekton-pipelines-controller-tenant-access using a RoleBinding instead of a ClusterRoleBinding, thereby limiting the access that the controller has to specific tenant namespaces. Full credit goes to to @eddie4941 for designing these changes!
|
I've added a short description to the I've also updated this PR to be based off of master, which has removed a couple of files from the diff since they were already merged in an earlier commit. |
| - apiGroups: [""] | ||
| resources: ["pods", "pods/log", "namespaces", "secrets", "events", "serviceaccounts", "configmaps", "persistentvolumeclaims", "limitranges"] | ||
| verbs: ["get", "list", "create", "update", "delete", "patch", "watch"] | ||
| # Unclear if this access is actually required. Simply a hold-over from the previous |
There was a problem hiding this comment.
Hmm, yeah this one is suspect...maybe we can get rid of it in a followup
tekton-robot
added
the
approved
| - apiGroups: [""] | ||
| resources: ["configmaps"] | ||
| verbs: ["get"] | ||
| resourceNames: ["config-logging", "config-observability", "config-artifact-bucket", "config-artifact-pvc", "feature-flags"] |
There was a problem hiding this comment.
Note to self: these configmap names are configurable - overrideable with environment variables in the controller pod. We should probably document these being named in the Role and tell users to make sure they change them here as well if they modify the defaults.
There was a problem hiding this comment.
Yup thats correct. The names are listed out here: https:/tektoncd/pipeline/blob/master/config/controller.yaml#L66-L75
Alternatively, if we are worried about keeping these in sync, we can have the default role thats included in release.yaml not list resourceNames. We can then add a line in the docs saying that its possible to limit the names further if we want by added resourceNames that match those that are passed to the controller via env vars. Though being explicitly is nicer from rbac perspective as you now exactly what the controller is doing.
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: dibyom, vdemeester The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
ghost
mentioned this pull request
| name: tekton-pipelines-controller-tenant-access | ||
| rules: | ||
| - apiGroups: [""] | ||
| resources: ["pods", "pods/log", "namespaces", "secrets", "events", "serviceaccounts", "configmaps", "persistentvolumeclaims", "limitranges"] |
There was a problem hiding this comment.
Just noticed this here. Were listing namespaces even though they are not a namespaces resource. So we can drop it form here. This is already covered in the tekton-pipelines-controller-cluster-access ClusterRole anyway.
This shouldn't cause any issues and should be treated as a no-op, but it would be nice to clean it up.
ghost
mentioned this pull request
afrittoli
added
the
kind/cleanup
Changes
The controller currently operates with a single ClusterRole that spans a very broad set of access permissions. In multi-tenant scenarios this kind of RBAC configuration can be quite dangerous. In order to better support potential multi-tenant configurations this PR splits the roles that the controller receives into two:
tekton-pipelines-controller-cluster-access: those permissions needed cluster-wide by the controller.tekton-pipelines-controller-tenant-accessthose permissions needed on a namespace-by-namespace basis.This PR does not actually change the level of access afforded to the controller. Instead, the roles are split but remain cluster-scoped by default. There should be no noticeable change in behaviour from the existing RBAC configuration in master.
If a team wanted to start running a multi-tenant service they would be able to bind
tekton-pipelines-controller-tenant-accessusing aRoleBindinginstead of aClusterRoleBinding, thereby limiting the access that the controller has to specific tenant namespaces.Hat-tip to @eddie4941 for designing these changes.
Submitter Checklist
These are the criteria that every PR should meet, please check them off as you
review them: