[release-4.13]SDN-4184: Limit OVN-Kubernetes RBAC permissions #2093
Conversation
Changes to metadata via status subresources are not restricted for the basic kubernetes types. This means ovn-kubernetes can set the status/annotations/labels with only the status subresource permissions. openshift-ovn-kubernetes-node cluster role: - Add patch,update permission for pods/status and nodes/status openshift-ovn-kubernetes-controller cluster role: - Add patch,update permission for pods/status, nodes/status, namespaces/status and services/status - Remove delete opermission for pods - I don't think we need that Once OVN-Kubernetes uses only status subresource we can remove the write perms to the pod/node/service resources. Signed-off-by: Patryk Diak <pdiak@redhat.com>
…ous one CSR is a cluster scoped resource and it is not great to have the permission to delete it. CSRs are garbage collected so instead of removing the previous one, always create the CSR with a randomized name. Signed-off-by: Patryk Diak <pdiak@redhat.com>
ovnkube-node creates and reads certificatesigningrequests, there is no need for it to have the update permission. Signed-off-by: Patryk Diak <pdiak@redhat.com> almost a clean cherry-pick of 2dc1fd9
openshift-ci-robot
added
the
jira/valid-reference
|
@JacobTanenbaum: This pull request references SDN-4184 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.13.z" version, but no target version was set. In response to this: Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
openshift-ci
bot
added
the
approved
|
@JacobTanenbaum: This pull request references SDN-4184 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.13.z" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/lgtm |
|
@JacobTanenbaum we also need to address #1960 by bringing in 8b5cd5f and probably 2e3fc8e |
it seems that after commit 10dd8c5, we dont need to delete the csr anymore. in fact, we no longer have the needed permissions. the only reason we didnt hit this in CI is an issue after my fix of the if statememnt, this is actually failing ovn-keys, so I had to fix it see that PR#1928 logs - https://gcsweb-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/origin-ci-test/pr-logs/pull/openshift_cluster-network-operator/1928/pull-ci-openshift-cluster-network-operator-master-e2e-ovn-ipsec-step-registry/1687090636676665344/artifacts/e2e-ovn-ipsec-step-registry/gather-extra/artifacts/pods/openshift-ovn-kubernetes_ovn-ipsec-9kpnd_ovn-keys.log this fixes openshift#1960
the if there was only valid if the cert didnt exist this fixes openshift#1961
|
@JacobTanenbaum: This pull request references SDN-4184 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.13.z" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
@trozet PTAL when you get the chance |
|
/lgtm |
|
/approve |
openshift-ci
bot
added
the
backport-risk-assessed
openshift-ci
bot
assigned anuragthehatter, asood-rh, eurijon, huiran0826, jechen0648, mffiedler and qiowang721
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: JacobTanenbaum, jcaamano, kyrtapz The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
@JacobTanenbaum: The following test failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
/jira refresh |
|
@JacobTanenbaum: This pull request references SDN-4184 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the bug to target the "4.13.z" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/jira refresh |
|
@JacobTanenbaum: This pull request references SDN-4184 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the bug to target the "4.13.z" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/jira refresh |
|
@tssurya: This pull request references SDN-4184 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the bug to target either version "4.13." or "openshift-4.13.", but it targets "Alongside OpenShift 4.13" instead. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/jira refresh |
|
@tssurya: This pull request references SDN-4184 which is a valid jira issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
knobunc
added
cherry-pick-approved
|
Overrode Jira linkage because the issue did not exist after the IC refactor. |
openshift-merge-bot
bot
merged commit edd0db7
into
openshift:release-4.13
|
[ART PR BUILD NOTIFIER] This PR has been included in build cluster-network-operator-container-v4.13.0-202311152049.p0.gedd0db7.assembly.stream for distgit cluster-network-operator. |
this is the CNO portion of openshift/ovn-kubernetes#1950 and limit the RBAC permissions of ovn-kubernetes
the changes are from
#1896
#1928
#1934
the first two commits applied cleanly leaving the third to have a small conflict because master branch had additional security constraints added
was able to cleanly bring in 8b5cd5f and 2e3fc8e to address #1960