Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cluster permissions #438

Open
blezoray opened this issue May 28, 2024 · 4 comments
Open

Cluster permissions #438

blezoray opened this issue May 28, 2024 · 4 comments
Labels
documentation Improvements or additions to documentation
Milestone
v0.6.0

Comments

@blezoray
Copy link

blezoray commented May 28, 2024
edited
Loading

Hello,

I was looking to the permissions that are requested at cluster level when you run kube-green operator and, if I compare between v0.5.2 and the current version, you can see that it request all verbs to all resources and apigroups:
https://github.com/kube-green/kube-green/blob/main/bundle/manifests/kube-green.clusterserviceversion.yaml#L148-L161

And in v0.5.2, you already request all verbs to secrets:
https://github.com/kube-green/kube-green/blob/v0.5.2/bundle/manifests/kube-green.clusterserviceversion.yaml#L154-L165

Could you explain why it needs so huge permissions ?

Rgds, Bruno.
@davidebianchi davidebianchi added the documentation Improvements or additions to documentation label May 29, 2024
@davidebianchi
Copy link
Member

Hi @blezoray! I added a PR to highlight this changes in installation docs: https://github.com/kube-green/kube-green.github.io/pull/65/files.

With version 0.6.0, it will be possible to manage all resources by writing specific patch rules. In the Helm chart, a value will be added to configure the RBAC settings as desired, with the default set to manage the default resources.

Another option is to modify it to grant kube-green permissions restricted to the default managed manifests, and update the configuration if more resources need to be added. Before the release of the stable version, is something to decide. For sure, the safest solution would be to give only the permission to manage the default supported resources.

@blezoray
Copy link
Author

Thanks for your answer.
Unfortunately, if you deploy kube-green with OLM (Operator Lifecycle Manager on OpenShift), the clusterrole is statically specified in the ClusterServiceVersion.

Why not limiting the clusterrole to appsapi group (DaemonSet, Deployment, StatefulSet) ? Is there any usecase the controller needs to manage other resources ?

@davidebianchi
Copy link
Member

Yes, an example usecase is if you need to modify some CR which manage some runtime resources, defined by a CRD. For example, in the test there is a use case in which is changed a Keda resource to manage the autoscaling rules.

We can use the aggregated rules of roles to extends the permissions https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles. In this way, by default the operator define only the ClusterRole with the base managed resources, and it will be possible to extends creating new ClusterRole manually. This could address your use case?

@blezoray
Copy link
Author

blezoray commented Jun 3, 2024
edited
Loading

Thanks @davidebianchi, aggregated rules would be a great solution.

@davidebianchi davidebianchi added this to the v0.6.0 milestone Jun 8, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
documentation Improvements or additions to documentation
Projects
kube-green roadmap
Status: Todo
Milestone
v0.6.0
Development

No branches or pull requests
2 participants
@davidebianchi @blezoray