-
Notifications
You must be signed in to change notification settings - Fork 321
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enhancement: Implement RBAC policy and Service Account for relay service #1544
Enhancement: Implement RBAC policy and Service Account for relay service #1544
Conversation
@rksharma95 , Are any further changes required? If not then should I proceed to make a PR to relay-server's repository to update |
hey @Utkar5hM thanks for the PR, it looks good. can you also handle the deployment change with operator too? basically you need to add the new service account and RBAC roles to the resource watcher.
|
@rksharma95, I've Updated the Operator and made a PR in relay-server's repository to update the changes in the yaml. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Is there an existing issue in the pipeline or with the controller? I tried looking at the logs for why the So I tried running it on the main branch(updated) by adding a empty file in my fork and it seems to fail at the same stage. |
@Utkar5hM can you rebase the branch to main. |
be8291e
to
ef5b819
Compare
@Utkar5hM can you please rebase again 😁 |
ef5b819
to
43e4d02
Compare
@Utkar5hM please squash the commits then it's good to merge. |
Signed-off-by: Utkarsh Mahajan <utkarshrm568@gmail.com>
43e4d02
to
90b368e
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM 👍
Purpose of PR?:
Fixes #1525
Does this PR introduce a breaking change?
If the changes in this PR are manually verified, list down the scenarios covered::
Verified and found that the only place where the application seems to be using the kubernetes API is to fetch a list of all the pods from all the namespaces while rest of the process takes place via gRPC and other means.
I initially tried configuring Role/RoleBinding for implementing RBAC policy considering both kubearmor and kubearmor-relay will be deployed in the same namespace
kubearmor
hoping the relay server would still work fetching only the pods from the kubearmor namespace but it fails (doesn't display the error in std error output). To further debug, I tried fetching pods list with kubectl as the serviceaccount and it failed as well making sure that the kubernetes API doesn't allow fetching the entire list with Role and would require code change.Due to which I went ahead and configured ClusterRole, which succeeded with the same command and kubearmor-relay was able to detect the pods.
Additional information for reviewer? :
Checklist:
<type>(<scope>): <subject>