New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Restrict RBAC on webhooks and CRDS #1658
Conversation
I'll take a look at these failing tests. |
47cd448
to
4afd09c
Compare
internal/k8s/k8s.go
Outdated
@@ -354,7 +354,7 @@ func (c *Client) CreateMlSecret(namespace, controllerDeploymentName, secretName | |||
}, | |||
metav1.CreateOptions{}) | |||
if err == nil { | |||
level.Info(c.logger).Log("op", "CreateMlSecret", "msg", "secret succesfully created") | |||
level.Info(c.logger).Log("op", "CreateMlSecret", "msg", "secret successfully created") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How comes this is here? I thought I merged it
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's a good question. Cleaned this up and looks like it's gone.
Looks good (apart from the intruder commit). Just one ask, would you mind squashing? I think it makes sense to have 3 commits here:
|
Updates RBAC template to only allow list access to all webhooks and CRDS, while permitting the original extended access specifically to MetalLB created resources. Signed-off-by: Tyler Auerbeck <tylerauerbeck@users.noreply.github.com>
Updates RBAC manifest to only allow list access to all webhooks and CRDS, while permitting the original extended access specifically to MetalLB created resources. Signed-off-by: Tyler Auerbeck <tylerauerbeck@users.noreply.github.com>
Generates various flavors of all-in-one manifests using the new RBAC configuration to restrict RBAC access to MetalLB resources. Signed-off-by: Tyler Auerbeck <tylerauerbeck@users.noreply.github.com>
fad5128
to
775a13d
Compare
@fedepaol Cleaned this up like you asked. Should be good to go once CI passes. |
Awesome, I have a few other prs below this, rebasing, waiting for CI and merging. |
This PR restricts the ability to make changes to CRDS and webhooks to only specific CRDS and webhooks deployed by MetalLB.
Fixes #1641