-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[DO NOT MERGE] Create basic RBAC permissions for KubeVirt #322
Conversation
Make sure that KubeVirt can run on Kubernetes instances where RBAC is enabled. Further give the haproxy admin rights right now, to allow it to forward all calls to the apiserver. This does not at all provide a more secure way to run KubeVirt. It's only purpose at this stage, is to allow friction less deployments on RBAC enabled Kubernetes clusters. The depolyment can be properly secured, as soon as we have movedm from our haproxy approach to the Aggregated API Server. Signed-off-by: Roman Mohr <rmohr@redhat.com>
With the permission assignment moved to a manifest, it is no longer necessary to give the default user admin rights in the Vagrant environment. Signed-off-by: Roman Mohr <rmohr@redhat.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1
Something is still not completely right. Don't merge yet! |
any more word on this? I think it's really important that we start working with RBAC now for each of our components. With RBAC limited to exactly what each component consumes, it means we have to be explicit about any new capabilities that are being added to a component. This will make it obvious when we try to give a component access to cluster capabilities it really shouldn't have access to. |
Ok, so the latest state on this is, that everything works when starting VMs, ... by hand. However functional tests currently don't start because of a permission error. Will look into it as soon as I can. But someone else can pick it up too. Also @admiyo confirmed that he could practically unchanged use this PR on OpenShift during his investigations. |
@rmohr if you don#t mind then I'd update this PR |
Please go ahead. That would be great. |
Obsoleted by #418. Closing this one. |
…cni-stateDir Allow flannel CNI plugin stateDir to be configurable
Update github.com/safchain/ethtool to fix the compilation error on 386. Also added 386 to the tarvis yaml. Fixes kubevirt#322 Signed-off-by: Moshe Levi <moshele@mellanox.com>
In order for kind provider to work with make cluster-sync, we need to add registry mirrors. Signed-off-by: Petr Horacek <phoracek@redhat.com>
Make sure that KubeVirt can run on Kubernetes instances where RBAC is
enabled. Further give the haproxy admin rights right now, to allow it to
forward all calls to the apiserver.
This does not at all provide a more secure way to run KubeVirt. It's
only purpose at this stage is to allow friction-less deployments on
RBAC enabled Kubernetes clusters.
The depolyment can be properly secured, as soon as we have movedm from
our haproxy approach to the Aggregated API Server.
Fixes #299, #62 and does some initial work for #301.
Signed-off-by: Roman Mohr rmohr@redhat.com