Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix RBAC configs #295

Merged
merged 8 commits into from Jul 17, 2017

Conversation

Projects
None yet
2 participants
@sadlil
Copy link
Contributor

commented Jul 13, 2017

Fixes #252

@sadlil sadlil added this to the 3.1.0 milestone Jul 13, 2017

@sadlil sadlil self-assigned this Jul 13, 2017

@sadlil sadlil requested a review from tamalsaha Jul 13, 2017

@sadlil

This comment has been minimized.

Copy link
Contributor Author

commented Jul 13, 2017

@tamalsaha, the role i am intending to create is:

&rbac.Role{
	ObjectMeta: metav1.ObjectMeta{
		Name:      lbc.Ingress.OffshootName(),
		Namespace: lbc.Ingress.Namespace,
		Annotations: map[string]string{
			api.OriginAPISchema: lbc.Ingress.APISchema(),
			api.OriginName:      lbc.Ingress.GetName(),
		},
	},
	Rules: []rbac.PolicyRule{
		{
			APIGroups:     []string{""},
			Resources:     []string{"configmaps"},
			ResourceNames: []string{lbc.Ingress.OffshootName()}, // ConfigMap Names is also specified.
			Verbs:         []string{"get", "list", "watch"},
		},
	},
}

-> ConfigMap Names is also specified in resource names. But this fails kloader to work. https://github.com/appscode/kloader/blob/master/mount.go#L120 this List call will always fail, though i have specified list in verb as the resourceName is specified.

So either we need to give all configmap read permission to role or we need to wrap the kloader list func with get, like List{Items: []{Get(name)}}.

@tamalsaha

This comment has been minimized.

Copy link
Member

commented Jul 14, 2017

https://kubernetes.io/docs/admin/authorization/rbac/
Notably, if resourceNames are set, then the verb must not be list, watch, create, or deletecollection. Because resource names are not present in the URL for create, list, watch, and deletecollection API requests, those verbs would not be allowed by a rule with resourceNames set, since the resourceNames portion of the rule would not match the request.

@tamalsaha

This comment has been minimized.

Copy link
Member

commented Jul 14, 2017

- apiGroups: ["voyager.appscode.com"]
  resources: ["ingresses"]
  verbs: ["get"]
- apiGroups: ["extensions"]
  resources: ["ingresses"]
  verbs: ["get"]
- apiGroups: [""]
  resources: ["ingresses"]
  verbs: ["get"]

{
--
  |   |   | +		APIGroups: []string{apiv1.GroupName},
  |   |   | +		Resources: []string{"secrets"},
>> ResourceName

  |   |   | +		Verbs:     []string{"get"},
  |   |   | +	},


@sadlil

This comment has been minimized.

Copy link
Contributor Author

commented Jul 14, 2017

@tamalsaha Fixed. Please review.

@sadlil sadlil changed the title WIP: Fix RBAC configs Fix RBAC configs Jul 17, 2017

@tamalsaha tamalsaha force-pushed the rback-fix branch from 11149ea to c4934fd Jul 17, 2017

@tamalsaha tamalsaha merged commit 84b26aa into master Jul 17, 2017

@tamalsaha tamalsaha deleted the rback-fix branch Jul 17, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.