-
Notifications
You must be signed in to change notification settings - Fork 702
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Aggregate repos read/write ClusterRoles to OOB view/edit (#3680) #3991
Conversation
Signed-off-by: Rafa Castelblanque <rcastelblanq@vmware.com>
Signed-off-by: Rafa Castelblanque <rcastelblanq@vmware.com>
Signed-off-by: Rafa Castelblanque <rcastelblanq@vmware.com>
Signed-off-by: Rafa Castelblanque <rcastelblanq@vmware.com>
Signed-off-by: Rafa Castelblanque <rcastelblanq@vmware.com>
Signed-off-by: Rafa Castelblanque <rcastelblanq@vmware.com>
…aggregation Signed-off-by: Rafa Castelblanque <rcastelblanq@vmware.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm haven't thoroughly review how aggregated roles work yet, but it seems (to me) we should create the aggregationRule
first, shouldn't we?
I mean, from what I get from the k8s website, it seems we have to:
- Define an
aggregationRule
in the "target" role, so to speak.
metadata:
name: <whatever>
aggregationRule:
clusterRoleSelectors:
- matchLabels:
rbac.example.com/aggregate-to-<whatever>: "true"
- Use it in other roles we want:
metadata:
name: <whatever-2>
labels:
rbac.example.com/aggregate-to-<whatever>: "true"
Let me know if I'm wrong, though
We're targeting the out-of-the-box read and edit cluster roles:
|
Interesting. I wonder if both are applicable? That is:
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1, but see my other comment about your alternative idea too :)
That's a good one, thank you! |
Signed-off-by: Rafa Castelblanque <rcastelblanq@vmware.com>
Signed-off-by: Rafa Castelblanque <rcastelblanq@vmware.com>
Signed-off-by: Rafa Castelblanque <rcastelblanq@vmware.com>
Signed-off-by: Rafa Castelblanque <rcastelblanq@vmware.com>
…aggregation Signed-off-by: Rafa Castelblanque <rcastelblanq@vmware.com>
After giving it a try, user doesn't have visibility of the repos even if the RoleBinding mentioned in the top is applied. Probably due to the user not having view/edit access to the global namespace. |
Signed-off-by: Rafa Castelblanque <rcastelblanq@vmware.com>
Hmm, that'd be a shame. Can you demo with
Or what's the specific issue you're seeing? |
Signed-off-by: Rafa Castelblanque <rcastelblanq@vmware.com>
I was checking directly from the Dashboard. With having only the aggregation rules in place, user has access to apprepositories in its own namespace (granted by
My issue was that at this point the repos config page breaks entirely:
I would expect that if user does not have access to global repos, at least current ns repos would show. Maybe this is intended by design? It seems inline, though, with the user being able to browse the catalog from global repos. So I think we actually need both the aggregation rules and the rolebinding I proposed for a proper functioning. What do you think? To your question |
Signed-off-by: Rafa Castelblanque <rcastelblanq@vmware.com>
Signed-off-by: Rafa Castelblanque <rcastelblanq@vmware.com>
Yes, definitely. That's what I meant above when I said "I wonder if both are applicable?" (ie. that we would need both the role and your idea for the system:authenticated ). Excellent, this is a nice change Rafa, thanks! Land when ready :) |
Signed-off-by: Rafa Castelblanque rcastelblanq@vmware.com
Description of the change
This solution helps to solve the scenario suggested by Dimitri:
This change sits on top of the feature added in #3989.
Aggregate labels so that our cluster repo roles are aggregated to the existing read/view roles.
Basically:
kubeapps:{{ KUBEAPPS_NAMESPACE }}:apprepositories-read
is aggregated to the OOBview
rolekubeapps:{{ KUBEAPPS_NAMESPACE }}:apprepositories-write
is aggregated to the OOBedit
roleAnother alternative to label aggregation would be to add to Helm RBAC template a rolebinding specific to the global repos namespace, and targeted to any logged in user.Something like:
The above binding would not require for the user to have the
view
role.Personally I believe that the roles aggregation is a simpler, more transparent approach.
Benefits
Kubeapps will allow viewing global repos to users with
view
role. And the same for user with theedit
role.Possible drawbacks
N/A
Applicable issues