Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Restrict RBAC on webhooks and CRDS #1658

Merged
merged 4 commits into from Oct 29, 2022
Merged

Restrict RBAC on webhooks and CRDS #1658

merged 4 commits into from Oct 29, 2022

Conversation

tylerauerbeck
Copy link
Contributor

This PR restricts the ability to make changes to CRDS and webhooks to only specific CRDS and webhooks deployed by MetalLB.

Fixes #1641

@tylerauerbeck
Copy link
Contributor Author

I'll take a look at these failing tests.

fedepaol
fedepaol reviewed Oct 26, 2022
View reviewed changes
internal/k8s/k8s.go Outdated
@@ -354,7 +354,7 @@ func (c *Client) CreateMlSecret(namespace, controllerDeploymentName, secretName
},
metav1.CreateOptions{})
if err == nil {
level.Info(c.logger).Log("op", "CreateMlSecret", "msg", "secret succesfully created")
level.Info(c.logger).Log("op", "CreateMlSecret", "msg", "secret successfully created")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How comes this is here? I thought I merged it

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's a good question. Cleaned this up and looks like it's gone.

@fedepaol
Copy link
Member

Looks good (apart from the intruder commit).

Just one ask, would you mind squashing? I think it makes sense to have 3 commits here:

  • changes to the chart
  • changes to the manifests
  • re-generation of the all-in-one manifests

@tylerauerbeck
Update helm chart to restrict access to CRDs and webhooks
62e3e4f 
Updates RBAC template to only allow list access to all webhooks and CRDS, while permitting the original extended access specifically to MetalLB created resources.

Signed-off-by: Tyler Auerbeck <tylerauerbeck@users.noreply.github.com>
@tylerauerbeck
Update manifests to restrict access to CRDs and webhooks
183e9f9 
Updates RBAC manifest to only allow list access to all webhooks and CRDS, while permitting the original extended access specifically to MetalLB created resources.

Signed-off-by: Tyler Auerbeck <tylerauerbeck@users.noreply.github.com>
@tylerauerbeck
Generate static manifests with new RBAC configurations
775a13d 
Generates various flavors of all-in-one manifests using the new RBAC configuration to restrict RBAC access to MetalLB resources.

Signed-off-by: Tyler Auerbeck <tylerauerbeck@users.noreply.github.com>
@tylerauerbeck
Copy link
Contributor Author

@fedepaol Cleaned this up like you asked. Should be good to go once CI passes.

@fedepaol
Copy link
Member

Awesome, I have a few other prs below this, rebasing, waiting for CI and merging.
Thanks!
LGTM

@fedepaol fedepaol merged commit e5675b2 into metallb:main Oct 29, 2022
@fedepaol fedepaol mentioned this pull request Nov 7, 2022
Closed
@fedepaol fedepaol mentioned this pull request Jan 17, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fedepaol fedepaol fedepaol left review comments

@johananl johananl Awaiting requested review from johananl

@rata rata Awaiting requested review from rata

@russellb russellb Awaiting requested review from russellb russellb is a code owner

@gclawes gclawes Awaiting requested review from gclawes gclawes is a code owner

@oribon oribon Awaiting requested review from oribon oribon is a code owner

Assignees
No one assigned
Labels
hacktoberfest-accepted
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Reduce the permissions on CRDs and Validating / Mutating webhooks
2 participants
@tylerauerbeck @fedepaol