-
Notifications
You must be signed in to change notification settings - Fork 451
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow project members to update Role and RoleBindings #2032
Allow project members to update Role and RoleBindings #2032
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
From the changes themselves it /lgtm, but I guess @vlerenc had some comments, so let's wait for it. :)
I was only wondering how critical that is and why we want to allow that to users now while we have so many other topics open in the UAM field. Also, I was wondering how the Dashboard code will cope with it (cc @grolu @petersutter @holgerkoser) without either ignoring the fine-grained permissions or complicating the code (adding checks left and right to check for certain permissions). Most UIs have only roles and code against these roles. Allowing the users to create their own roles with their own sets of permissions is more flexible (and there is certainly also demand for that), but also more effort, as it seems (and therefore I am not sure we have the bandwidth for that, but maybe the Dashboard colleagues have found a way to make that work - just asking). |
This PR has nothing to do with the dashboard. The dashboard is an optional component to the project. |
@vlerenc we have found a way to deal with that. We don't need to implement roles in the dashboard. We still need to add logic for every action / detail / page etc. that may be hidden for a certain role, however we don't need to differentiate between the roles as we can check for the permissions directly. |
Thanks @grolu. I guess then everything is settled and we can go ahead (I understood the major concerns were about the dashboard support, right)? Or is there something else? |
From my side yes @rfranzke. I was just a tad worried whether we can support so fine-grained permissions in the dashboard @mvladev (yes, another topic, but related in sofar as it checks today what is allowed for UX reasons, so that it doesn't show everything and everything full of errors/after getting to these errors). Thanks @grolu for the heads-up. |
@mvladev can you add in the description why we need this PR? What is the actual use case? Yes with the PR that @grolu mentioned we can now efficiently check for on permission level for the selected namespace in the dashboard but I would not say that we can support any fine-grained permission that the project admin comes up with. How should we handle this degree of freedom in the dashboard? That's why I was also asking what the use case is for this PR. |
Users want to define their own Role / Rolebinding. For example you can create a service account and grant it access only to a specific Shoot / Secret.
Why this should be handled by the dashboard? |
Because users could be arguing "it works with kubectl, why can't I see the shoot / secret in the dashboard?" |
Whats the problem with k create -f - -o yaml << EOF
apiVersion: authorization.k8s.io/v1
kind: SelfSubjectRulesReview
spec:
namespace: garden-namespace-1
EOF
apiVersion: authorization.k8s.io/v1
kind: SelfSubjectRulesReview
metadata:
creationTimestamp: null
spec: {}
status:
incomplete: false
nonResourceRules:
- nonResourceURLs:
- '*'
verbs:
- '*'
- nonResourceURLs:
- /api
- /api/*
- /apis
- /apis/*
- /healthz
- /openapi
- /openapi/*
- /swagger-2.0.0.pb-v1
- /swagger.json
- /swaggerapi
- /swaggerapi/*
- /version
- /version/
verbs:
- get
- nonResourceURLs:
- /healthz
- /version
- /version/
verbs:
- get
resourceRules:
- apiGroups:
- '*'
resources:
- '*'
verbs:
- '*'
- apiGroups:
- core.gardener.cloud
resources:
- cloudprofiles
verbs:
- get
- list
- watch
- apiGroups:
- core.gardener.cloud
resources:
- cloudprofiles
- seeds
verbs:
- get
- list
- watch
- apiGroups:
- authorization.k8s.io
resources:
- selfsubjectaccessreviews
- selfsubjectrulesreviews
verbs:
- create |
We already use But if the user only has the permission to e.g. get shoot x, y, z and does not have the permission to list shoots we get a problem on the backend as we need the list permission to list the shoots(, secrets) etc. How should we show the shoot list if the user does not have the permission to list the shoots? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
@petersutter it looks $ k -n garden-dev create role single-shoot --verb=get --resource=shoots.core.gardener.cloud --resource-name=my-shoot
$ k -n garden-dev create rolebinding single-shoot --role single-shoot --user jd@example.com
$ k --as jd@example.com create -f - -o yaml << EOF
apiVersion: authorization.k8s.io/v1
kind: SelfSubjectRulesReview
spec:
namespace: garden-dev
EOF
apiVersion: authorization.k8s.io/v1
kind: SelfSubjectRulesReview
metadata:
creationTimestamp: null
spec: {}
status:
incomplete: false
nonResourceRules:
- nonResourceURLs:
- /healthz
- /version
- /version/
verbs:
- get
- nonResourceURLs:
- /api
- /api/*
- /apis
- /apis/*
- /healthz
- /openapi
- /openapi/*
- /version
- /version/
verbs:
- get
resourceRules:
- apiGroups:
- authorization.k8s.io
resources:
- selfsubjectaccessreviews
- selfsubjectrulesreviews
verbs:
- create
- apiGroups:
- core.gardener.cloud
resources:
- cloudprofiles
- seeds
verbs:
- get
- list
- watch
- apiGroups:
- core.gardener.cloud
resourceNames:
- my-shoot
resources:
- shoots
verbs:
- get |
Hi @vpnachev, so you suggest we should implement a fallback logic in case |
I would suspect that - a) this would be mainly used for automation ( service accounts and so), so dashboard won't be affected. |
a) that's why I said we should document the limitations or what privileges are required for the dashboard in order to function properly |
This is something the dashboard should handle. I don't think it's related to the scope of the PR.
you can clearly see that joe is allowed to |
If I then add list permissions, the
|
c) I ment You are talking about
Hence we can't use |
This only applies if the apiserver is configured with apiVersion: authorization.k8s.io/v1
kind: SelfSubjectRulesReview
spec: {}
status:
incomplete: false
..... As this PR affects only RBAC rules, |
even if it's configured with
But why do you say that in this case you can use |
This is the sentence before
Is the dashboard a UI or an external system? |
Again, we use On the backend (the component that provides the data to the UI) we do not want to use |
The dashboard is an external system which servers an UI. We can (and already do use) |
The question is not UI or external system. The question is do we use |
Okay I'll suggest to move this discussion to a separate issue in the Dashboard as this problem already exist in it and it as has nothing to do with this PR. |
@mvladev You wrote that already. However, the concern is that if that feature gets merged and we have no plan for the dashboard, it shouldn't be merged in the first place, if not absolutely necessary. Yes, there are very few customers who request that, but most of those few can be helped with pre-defined roles. Full dynamic roles may simply be too much for us and doing such things like replacing a list call with a custom check for clusters based on the response of So, in essence, the Dashboard question is open. If you continue the discussion on a Dashboard BLI, please don't merge this one beforehand/because of the other one. If everybody is fine with the implications, sure. But if there is uncertainty and not sufficient value, please be cautious with new features. We have to support them all and live with them. |
The Dashboard is either way not supporting all feature of the API, e.g. there is almost nothing for Seeds, CloudProfiles, Plants and ControllerRegistration. Also, nobody should expect it. The dashboard should support some basic scenarios, like it is already doing. This change will not affect the current scenario with the pre-defined roles( So I would go out with a proper documentation that the Dashboard is not supporting this RBAC openness, nothing more. How does the Kubernetes Dashboard solves this issue? |
+1 for @vpnachev's proposal. For me the question is whether the Gardener Dashboard wants to support these custom roles or not. I understand that listing with an admin user and then filtering out based on the result of the To go forward, my concrete proposal is: Merge this PR and document that custom roles (all other than the roles defined in the Gardener API ( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm fine with @rfranzke 's proposal
I'm also fine with it. |
@mvladev can you please open a PR on either the g/dashboard or g/documentation repo that explains that these custom roles are not supported by the Dashboard as of today? |
What this PR does / why we need it:
Allows project members to define their own
Role
andRoleBindings
.Privilege escalation is prevented by the RBAC API.
Which issue(s) this PR fixes:
N/A
Special notes for your reviewer:
Continuation of #1865
Release note: