-
Notifications
You must be signed in to change notification settings - Fork 94
Remove cluster role and binding for clusters #207
Conversation
@font: Would it be better to do the following:
|
@mlowery We need to avoid creating unnecessary RBAC objects, especially if they are just an example, unless they are explicitly required by the cluster registry. The admin that deploys the cluster registry will have access to the clusters resource. They are then able to create more fine-grained ACLs if they wish. I don't think we want the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Happy to see less code!
// Create a Kubernetes cluster role binding from the default service account | ||
// in our namespace to the cluster role we just created. | ||
glog.V(4).Infof("Creating cluster role bindings %v and %v", apiServerCRBName, authDelegatorCRBName) | ||
// in our namespace to the system:auth-delegator cluster role. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this documented to exist in all clusters that support delegated auth? I expect that it would, but I would be slightly concerned that this is a pattern that not all clusters follow, and that this will break some usages.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The system:auth-delegator
cluster role is part of the default RBAC roles described here. A quick look through the code shows that these default RBAC cluster roles are created by the kube-apiserver
as part of the rbac/bootstrap-roles
PostStartHook
for the RBAC REST storage provider.
Based on that code and the doc linked above, unless somebody tampers with the defaults, I think this is expected to exist in all clusters that support and enable RBAC (--authorization-mode=RBAC
). I think we can assume or at least expect that RBAC will be enabled. Otherwise, the entire cluster registry aggregated deployment will fail. But it probably wouldn't hurt to add a check for RBAC enablement with a graceful error if it's disabled.
@perotinus PTAL. |
/lgtm Apologies, this fell off my radar in the midst of discussions about CRDs. |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: font, perotinus The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Remove unnecessary cluster role and cluster role binding objects as I don't think we'll need it. This is mainly used to provide permissions for controllers within the cluster to perform specific cluster operations e.g. an admission controller to perform specific cluster resource operations. This cleans up and simplifies the code a bit. We can always add it back later if needed.
The k8s docs on this are a little misleading and suggest this is needed.
/sig multicluster