Skip to content
This repository has been archived by the owner on Oct 7, 2020. It is now read-only.

Make sidecar injector clusterrole more restrictive by specifying resourcenames #231

Merged
merged 2 commits into from
Jun 7, 2019
Merged

Make sidecar injector clusterrole more restrictive by specifying resourcenames #231

merged 2 commits into from
Jun 7, 2019

Conversation

neeleshkorade
Copy link
Contributor

@neeleshkorade neeleshkorade commented Jun 7, 2019
edited
Loading

@sdake

Tested this manually for-

  1. go templating
  2. functionality by verifying in our test cluster that auto injection of sidecar works with the updated role

@googlebot googlebot added the cla: yes Set by the Google CLA bot to indicate the author of a PR has signed the Google CLA. label Jun 7, 2019
howardjohn
howardjohn reviewed Jun 7, 2019
View reviewed changes
istio-control/istio-autoinject/templates/clusterrole.yaml Outdated
verbs: ["get", "list", "watch"]
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["mutatingwebhookconfigurations"]
resourceNames: [{{ print "\"istio-sidecar-injector-" .Release.Namespace "\"" }}]
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

minor point: I think this can just be ["istio-sidecar-injector-{{.Release.Namespace}"] or does that not work?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

good point - worth simplifying this if posible.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @howardjohn. I updated the PR with the suggested change.

howardjohn
howardjohn reviewed Jun 7, 2019
View reviewed changes
Copy link
Member

@howardjohn howardjohn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice! a good part of istio/istio#14158

@sdake I've heard you have looked into the cluster roles a lot if you know of any reason why this isn't safe? Otherwise lgtm

@sdake
Copy link
Member

sdake commented Jun 7, 2019

@howardjohn looks good to me - @neeleshkorade contacted me prior to the submission. As a check is failing, we need to sort that out.

Cheers
-steve

@sdake
Copy link
Member

sdake commented Jun 7, 2019
edited
Loading

gate failure

kubectl wait routes helloworld-go --for=condition=ready --timeout=240s
Error from server (NotFound): routes.serving.knative.dev "helloworld-go" not found
make: *** [test/noauth.mk:55: run-test-knative] Error 1
Makefile:165: recipe for target 'docker-run-test' failed
make: *** [docker-run-test] Error 2
Exited with code 2

sdake
sdake reviewed Jun 7, 2019
View reviewed changes
Copy link
Member

@sdake sdake left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

waiting on experiments to determine if the simplification produces desired results.

istio-control/istio-autoinject/templates/clusterrole.yaml Outdated
verbs: ["get", "list", "watch"]
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["mutatingwebhookconfigurations"]
resourceNames: [{{ print "\"istio-sidecar-injector-" .Release.Namespace "\"" }}]
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

good point - worth simplifying this if posible.

@howardjohn
Copy link
Member

gate failure

kubectl wait routes helloworld-go --for=condition=ready --timeout=240s
Error from server (NotFound): routes.serving.knative.dev "helloworld-go" not found
make: *** [test/noauth.mk:55: run-test-knative] Error 1
Makefile:165: recipe for target 'docker-run-test' failed
make: *** [docker-run-test] Error 2
Exited with code 2

I think this is a flake, should be investigated

@mergify mergify bot merged commit 399986a into istio:master Jun 7, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@sdake sdake sdake left review comments

@howardjohn howardjohn howardjohn approved these changes

@costinm costinm Awaiting requested review from costinm

@linsun linsun Awaiting requested review from linsun

Assignees
No one assigned
Labels
cla: yes Set by the Google CLA bot to indicate the author of a PR has signed the Google CLA.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@neeleshkorade @sdake @howardjohn @googlebot