New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[DO NOT MERGE] Create basic RBAC permissions for KubeVirt #322

Closed
wants to merge 2 commits into
base: master
from

Conversation

Projects
None yet
3 participants
@rmohr
Member

rmohr commented Jul 17, 2017

Make sure that KubeVirt can run on Kubernetes instances where RBAC is
enabled. Further give the haproxy admin rights right now, to allow it to
forward all calls to the apiserver.

This does not at all provide a more secure way to run KubeVirt. It's
only purpose at this stage is to allow friction-less deployments on
RBAC enabled Kubernetes clusters.

The depolyment can be properly secured, as soon as we have movedm from
our haproxy approach to the Aggregated API Server.

Fixes #299, #62 and does some initial work for #301.

Signed-off-by: Roman Mohr rmohr@redhat.com

@rmohr

This comment has been minimized.

Show comment
Hide comment
@rmohr
Member

rmohr commented Jul 17, 2017

/cc @admiyo @fabiand FYI

rmohr added some commits Jul 17, 2017

Create basic RBAC permissions for KubeVirt
Make sure that KubeVirt can run on Kubernetes instances where RBAC is
enabled. Further give the haproxy admin rights right now, to allow it to
forward all calls to the apiserver.

This does not at all provide a more secure way to run KubeVirt. It's
only purpose at this stage, is to allow friction less deployments on
RBAC enabled Kubernetes clusters.

The depolyment can be properly secured, as soon as we have movedm from
our haproxy approach to the Aggregated API Server.

Signed-off-by: Roman Mohr <rmohr@redhat.com>
Remove KubeVirt RPBAC permission assignemnt in Vagrant
With the permission assignment moved to a manifest, it is no longer
necessary to give the default user admin rights in the Vagrant
environment.

Signed-off-by: Roman Mohr <rmohr@redhat.com>

@rmohr rmohr requested review from fabiand and admiyo Jul 17, 2017

@rmohr rmohr changed the title from [WIP] Create basic RBAC permissions for KubeVirt to Create basic RBAC permissions for KubeVirt Jul 17, 2017

@fabiand

+1

@rmohr

This comment has been minimized.

Show comment
Hide comment
@rmohr

rmohr Jul 18, 2017

Member

Something is still not completely right. Don't merge yet!

Member

rmohr commented Jul 18, 2017

Something is still not completely right. Don't merge yet!

@rmohr rmohr changed the title from Create basic RBAC permissions for KubeVirt to [DO NOT MERGE] Create basic RBAC permissions for KubeVirt Jul 18, 2017

@davidvossel

This comment has been minimized.

Show comment
Hide comment
@davidvossel

davidvossel Aug 7, 2017

Member

any more word on this?

I think it's really important that we start working with RBAC now for each of our components.

With RBAC limited to exactly what each component consumes, it means we have to be explicit about any new capabilities that are being added to a component. This will make it obvious when we try to give a component access to cluster capabilities it really shouldn't have access to.

Member

davidvossel commented Aug 7, 2017

any more word on this?

I think it's really important that we start working with RBAC now for each of our components.

With RBAC limited to exactly what each component consumes, it means we have to be explicit about any new capabilities that are being added to a component. This will make it obvious when we try to give a component access to cluster capabilities it really shouldn't have access to.

@rmohr

This comment has been minimized.

Show comment
Hide comment
@rmohr

rmohr Sep 1, 2017

Member

Ok, so the latest state on this is, that everything works when starting VMs, ... by hand. However functional tests currently don't start because of a permission error. Will look into it as soon as I can. But someone else can pick it up too. Also @admiyo confirmed that he could practically unchanged use this PR on OpenShift during his investigations.

Member

rmohr commented Sep 1, 2017

Ok, so the latest state on this is, that everything works when starting VMs, ... by hand. However functional tests currently don't start because of a permission error. Will look into it as soon as I can. But someone else can pick it up too. Also @admiyo confirmed that he could practically unchanged use this PR on OpenShift during his investigations.

@fabiand

This comment has been minimized.

Show comment
Hide comment
@fabiand

fabiand Sep 6, 2017

Member

@rmohr if you don#t mind then I'd update this PR

Member

fabiand commented Sep 6, 2017

@rmohr if you don#t mind then I'd update this PR

@rmohr

This comment has been minimized.

Show comment
Hide comment
@rmohr

rmohr Sep 6, 2017

Member

Please go ahead. That would be great.

Member

rmohr commented Sep 6, 2017

Please go ahead. That would be great.

@fabiand fabiand referenced this pull request Sep 6, 2017

Merged

Add basic RBAC support #418

@fabiand

This comment has been minimized.

Show comment
Hide comment
@fabiand

fabiand Sep 6, 2017

Member

Obsoleted by #418.

Closing this one.

Member

fabiand commented Sep 6, 2017

Obsoleted by #418.

Closing this one.

@fabiand fabiand closed this Sep 6, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment