Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

#872 Add certificates and issuers to aggregated RBAC #902

Merged
merged 10 commits into from Sep 21, 2018
Merged

#872 Add certificates and issuers to aggregated RBAC #902

merged 10 commits into from Sep 21, 2018

Conversation

fuel-wlightning
Copy link
Contributor

@fuel-wlightning fuel-wlightning commented Sep 13, 2018
edited

What this PR does / why we need it:
This adds two permissions to the user facing RBAC roles. This allows a user with permissions to their own namespace to be able to manage their own certificates and issuers.

Which issue this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close that issue when PR gets merged): fixes #872

Special notes for your reviewer:
I was unable to figure out where to put tests for the chart. I'm happy to fix with some pointers. Manual test steps are below.

Manual Testing & Verification
View Access:

# Create Namespace:
kubectl create ns test-view
# Setup Service Account:
kubectl --namespace=test-view create sa test-user
# Setup Role Binding:
kubectl --namespace=test-view create rolebinding test-rb --clusterrole=view --serviceaccount=test-view:test-user
# Wait a few seconds for RBAC to process above changes
sleep 5
# Read (should succeed)
kubectl --namespace=test-view --as=system:serviceaccount:test-view:test-user auth can-i get certificates
# Write (should fail)
kubectl --namespace=test-view --as=system:serviceaccount:test-view:test-user auth can-i create certificates
# Remove namespace
kubectl delete ns test-view

Edit Access:

# Create Namespace:
kubectl create ns test-edit
# Setup Service Account:
kubectl --namespace=test-edit create sa test-user
# Setup Role Binding:
kubectl --namespace=test-edit create rolebinding test-rb --clusterrole=edit --serviceaccount=test-edit:test-user
# Wait a few seconds for RBAC to process above changes
sleep 5
# Read (should succeed)
kubectl --namespace=test-edit --as=system:serviceaccount:test-edit:test-user auth can-i get certificates
# Write (should succeed)
kubectl --namespace=test-edit --as=system:serviceaccount:test-edit:test-user auth can-i create certificates
# Remove namespace
kubectl delete ns test-edit

Admin Access:

# Create Namespace:
kubectl create ns test-admin
# Setup Service Account:
kubectl --namespace=test-admin create sa test-user
# Setup Role Binding:
kubectl --namespace=test-admin create rolebinding test-rb --clusterrole=admin --serviceaccount=test-admin:test-user
# Wait a few seconds for RBAC to process above changes
sleep 5
# Read (should succeed)
kubectl --namespace=test-admin --as=system:serviceaccount:test-admin:test-user auth can-i get certificates
# Write (should succeed)
kubectl --namespace=test-admin --as=system:serviceaccount:test-admin:test-user auth can-i create certificates
# Remove namespace
kubectl delete ns test-admin

Release note:

Added RBAC permissions for user facing roles to access Certificates and Issuers.

@fuel-wlightning
cert-manager#872 Add certificates and issuers to aggregated RBAC for …
819cfcd 
…view, edit and admin ClusterRoles.

Signed-off-by: William Lightning <wlightning@fuelmedical.com>
@jetstack-bot jetstack-bot added release-note Denotes a PR that will be considered when it comes time to generate release notes. dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. labels Sep 13, 2018
@jetstack-bot jetstack-bot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Sep 13, 2018
@munnerz
Copy link
Member

munnerz commented Sep 13, 2018

/ok-to-test

@jetstack-bot jetstack-bot removed the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label Sep 13, 2018
@fuel-wlightning
Bump cert-manager helm chart version to v0.6.0-dev.1
6e66f5e 
Signed-off-by: William Lightning <wlightning@fuelmedical.com>
@fuel-wlightning
Copy link
Contributor Author

/retest

@jetstack-bot jetstack-bot added dco-signoff: no Indicates that at least one commit in this pull request is missing the DCO sign-off message. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Sep 13, 2018
@jetstack-bot jetstack-bot added dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. and removed dco-signoff: no Indicates that at least one commit in this pull request is missing the DCO sign-off message. labels Sep 13, 2018
@fuel-wlightning
Update deploy manifests with chart cert-manager-v0.6.0-dev.1
9b66858 
Signed-off-by: William Lightning <wlightning@fuelmedical.com>
@jetstack-bot jetstack-bot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Sep 13, 2018
@fuel-wlightning
Copy link
Contributor Author

This now has the deploy manifests updated, removed the relavent note from the top description.

@munnerz
Copy link
Member

munnerz commented Sep 13, 2018

Thanks for the detailed steps to test this - if we want to automate checks here, we'll need to actually write the test into part of our e2e pipeline.

Feel free to give this a go - I think we do provide provisions to just run kubectl using our e2e framework. See ./test/e2e for some examples.

That said, I am happy to accept this as is for now if you would like to follow up with tests later!

@fuel-wlightning
Copy link
Contributor Author

I'd like to go ahead and give writing an e2e test for it a go. So I'll work on that today.

@jetstack-bot jetstack-bot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Sep 14, 2018
@fuel-wlightning
Refactor common rbac test code into function
d22a62d 
Signed-off-by: William Lightning <wlightning@fuelmedical.com>
@fuel-wlightning
Add comprehensive tests around certificate rbac user facing roles
12713c8 
Signed-off-by: William Lightning <wlightning@fuelmedical.com>
@munnerz
Copy link
Member

munnerz commented Sep 19, 2018
edited

Thanks very much for putting those tests together! This looks good to me 😄

I will add lgtm and approved labels, but also add 'hold' just in case there's anything else you had meant to add.

You can merge this when you are ready with /hold cancel 😄

/lgtm
/approve
/hold

@jetstack-bot jetstack-bot added do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. lgtm Indicates that a PR is ready to be merged. labels Sep 19, 2018
@jetstack-bot
Copy link
Collaborator

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: munnerz

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@jetstack-bot jetstack-bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Sep 19, 2018
@fuel-wlightning
Copy link
Contributor Author

@munnerz Glad to get feedback. I plan to expand these beyond certificates, to cover issuers.

I did have questions regarding the following.

  1. With rbacClusterRoleHasAccessToResource being used by multiple test files, I'm thinking ofmoving it to framework/util.go does this sound good?
  2. Do you want a negative suite of tests on cluster issuer.
  3. I am a little concerned about adding time to the e2e tests, my tests just for certificate have added 5 minutes to the full run. Should I try and limit my testing to avoid this?

@fuel-wlightning
certificate_rbac test: move defintion of resource up in the unit test…
8dcfd76 
…, so we're not defining it on every it

Signed-off-by: William Lightning <wlightning@fuelmedical.com>
@fuel-wlightning
extract rbacClusterRoleHasAccessToResource out of certificate_rbac te…
3d09d98 
…st to test framework util

Signed-off-by: William Lightning <wlightning@fuelmedical.com>
@fuel-wlightning
Update certificate_rbac test framework initialization basename
180af30 
Signed-off-by: William Lightning <wlightning@fuelmedical.com>
@jetstack-bot jetstack-bot added dco-signoff: no Indicates that at least one commit in this pull request is missing the DCO sign-off message. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. and removed lgtm Indicates that a PR is ready to be merged. dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Sep 19, 2018
@fuel-wlightning
Build out issuer_rbac tests based on certificate_rbac tests
7d8c7dd 
Signed-off-by: William Lightning <wlightning@fuelmedical.com>
@jetstack-bot jetstack-bot added dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. and removed dco-signoff: no Indicates that at least one commit in this pull request is missing the DCO sign-off message. labels Sep 19, 2018
@fuel-wlightning
Copy link
Contributor Author

Okay,
This looks good to me now.

  1. I went ahead and put it in /test/e2e/framework/utils.go. It seems to fit.
  2. Due to the amount of time that's taken by the tests and ClusterIssuers being out of scope of the change, I decided not to implement the negative tests.
  3. Total increase of e2e testing time is: 6min 33seconds. Not quite as much as I feared. The only change I could think of is to try decreasing the delay for waiting for RBAC to take effect, which is only a potential savings of 24 seconds (assuming half a second works). I feel like that might be better fitting a new a PR which can address e2e optimizations in general.

Canceling do-not-merge hold, as I'm happy if the reviewers are now.
/hold cancel

@jetstack-bot jetstack-bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Sep 19, 2018
@munnerz
Copy link
Member

munnerz commented Sep 21, 2018

Thanks very much for the work here!

Yes there's a number of still to-do optimisations needed around e2e's (notably, we run most of our tests in parallel...)

/lgtm

@jetstack-bot jetstack-bot added the lgtm Indicates that a PR is ready to be merged. label Sep 21, 2018
@jetstack-bot jetstack-bot merged commit 5081430 into cert-manager:master Sep 21, 2018
This was referenced Mar 10, 2022
Closed
Merged
@erikgb erikgb mentioned this pull request Jul 27, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@simonswine simonswine Awaiting requested review from simonswine

Assignees

@munnerz munnerz

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. lgtm Indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add certificate and issuer RBAC Cluster User Facing Rules for default user facing cluster roles.
3 participants
@fuel-wlightning @munnerz @jetstack-bot