-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Issue 3512: To limit kubevirt-controller service ccount from modifying CRs #4298
Conversation
Hi @yuhaohaoyu. Thanks for your PR. I'm waiting for a kubevirt member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Hi @yuhaohaoyu. Thanks for your PR. I'm waiting for a kubevirt member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/assign @rmohr Again, our first PR, we are simply following the instruction from an email sent by the kubevirt-bot. I noticed that the 'continuous-integration/travis-ci/pr' could not complete. The associated details show unknown reason for the termination of the building process, with no linkage to the PR. I will wait for further notice. |
Hi, we disabled builds with Travis. It should go away if you rebase on master. |
(author keeping track of the git ops. welcome comment so to get the concise work flow):
Then github automatically started the CI again. |
/assign @JinjunXiong |
/retest |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Overall looks good! Thanks for this PR.
Added a comment and a suggestion.
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Made following changes to the code to address review comments from @danielBelenky
|
/assign @danielBelenky |
The latest update in the Rule A
Rule B
With the change of adding the verb
|
To fix the last two functional tests: 3145, 4642, I had to eventually revert the rule to:
The exercise would also suggest:
|
As a summary, the effort to refactor the RBAC rule of the Before the PR, all CI tests pass:
Refactoring that allow
Note there are not many room for tweaking the specification between the orig rule and rule1 rule. To log the tweaking briefly, we used these loosely defined terms,
With these terms the rule tweaking is logged as below
The main conclusion from this table is that in order to keep the current CI tests, the rule has to use The secondary findings (not explained) are:
Following the minimalism practice, there is no reason to merge this PR. The code changes are:
|
…evirt-operator via refactoring RBAC rules, with associated functional tests Signed-off-by: Hao Yu <yuh@us.ibm.com>
…onstants Signed-off-by: Hao Yu <yuh@us.ibm.com> Co-authored-by: Jinjun Xiong <jinjun@us.ibm.com> Co-authored-by: Jinjun Xiong <jinjun@gmail.com>
…rom kubevirt-operator via refactoring RBAC rules, with associated functional tests - Removed the test_id associated to the 6 tests - Reorganized the code flow in the func-test for clarity and brevity - Corrected the rules for kubevirt-operator cluster-role (previous rules were wrong, too tight) Signed-off-by: Hao Yu <yuh@us.ibm.com>
…le definition (generated) Signed-off-by: Hao Yu <yuh@us.ibm.com>
…evirt-operator via refactoring RBAC rules, with associated functional tests - Removed the test_id associated to the 6 tests - Reorganized the code flow in the func-test for clarity and brevity - Corrected the rules for kubevirt-operator cluster-role (previous rules were wrong, too tight) Signed-off-by: Hao Yu <yuh@us.ibm.com>
…usterrole definition (generated) Signed-off-by: Hao Yu <yuh@us.ibm.com>
…th Resources field and Verbes field to pass test 3145 and 4642. Keeping the more restrictive rule for reference Signed-off-by: Hao Yu <yuh@us.ibm.com>
…ller clusterrole definition (generated) Signed-off-by: Hao Yu <yuh@us.ibm.com>
@yuhaohaoyu: PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with /lifecycle stale |
Stale issues rot after 30d of inactivity. If this issue is safe to close now please do so with /lifecycle rotten |
@yuhaohaoyu: The following tests failed, say
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
Rotten issues close after 30d of inactivity. /close |
@kubevirt-bot: Closed this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
What this PR does / why we need it:
The purpose of the PR is to address the problem discussed in issue 3512, i.e. to prevent the service account
kubevirt-controller
from modifying or deleting custom resources in the API Group kubevirt.io.One reason that the problem existed was that the the RBAC role associated with the service account
kubevirt-controller
can do anything to all the resources in the API Group kubevirt.io.The solution follows the discussion in the issue: to refactor the RBAC rule associated to the
kubevirt-controller
role by spelling out action verbs to each of the 6 resources in the API group. In this PR, the permission associated with the RBAC rolekubevirt-controller
are summarized as below:The PR includes an addition of 6 tests to
tests/access_test.go
that essentially runs the commandkubectl auth can-i delete vm --as system:serviceaccount:kubevirt:kubevirt-controller
for the 8 verbs against the 6 resource objects.
The PR contains a minor code cleaning up that replaced some recurring string literals by constants in
pkg/virt-operator/creation/rbac/operator.go
to align to the practice of other files under the same directory, e.g.pkg/virt-operator/creation/rbac/handler.go
.Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)
format, will close the issue(s) when PR gets merged):Fixes #3512
Special notes for your reviewer:
This is a joint effort with @JinjunXiong and authors' first PR to this project and detailed review feedback from all aspects of the PR are highly appreciated.
Release note: