Separate calico-node and calico-cni-plugin service accounts #7106
Conversation
marvin-tigera
added
docs-pr-required
|
|
There was a problem hiding this comment.
A few minor comments. I think you'll want to do a few things:
- Test this on a live cluster to make sure all the permissions are correct (check the calico-node and CNI plugin logs for unauthorized permissions errors)
- Run
make generateto update the manifests - you changed the templates in the charts/ dir, but the artifacts need re-rendering afterwards. - You will need to make the equivalent changes in the tigera/operator repository, since most users install Calico that way nowadays. https://github.com/tigera/operator/blob/master/pkg/render/node.go#L287
| # Used for creating service account tokens to be used by the CNI plugin | ||
| - apiGroups: [""] | ||
| resources: | ||
| - serviceaccounts/token |
There was a problem hiding this comment.
This permission should only be on the calico-node serviceaccount, not on the CNI plugin. We don't want any serviceaccount to have permissions to create its own token.
| @@ -138,26 +123,6 @@ rules: | |||
| - create | |||
| - update | |||
| {{- if eq .Values.network "calico" }} | |||
| # These permissions are required for Calico CNI to perform IPAM allocations. | |||
There was a problem hiding this comment.
I think with testing you'll find that calico/node also needs some of these permissions.
| @@ -17,14 +17,6 @@ rules: | |||
| {{- end }} | |||
| verbs: | |||
| - create | |||
| # The CNI plugin needs to get pods, nodes, and namespaces. | |||
There was a problem hiding this comment.
I think calico/node also needs some of these, unless they are already covered somewhere else.
| - create | ||
| - update | ||
| - delete | ||
| # The CNI plugin and calico/node need to be able to create a default |
There was a problem hiding this comment.
This comment suggests calico-node still needs the IPAMConfigs permission
node/pkg/cni/token_watch.go
Outdated
| @@ -217,7 +218,7 @@ func Run() { | |||
| if err != nil { | |||
| logrus.WithError(err).Fatal("Failed to create in cluster client set") | |||
| } | |||
| tr := NewTokenRefresher(clientset, NamespaceOfUsedServiceAccount(), CNIServiceAccountName()) | |||
| tr := NewTokenRefresher(clientset, NamespaceOfUsedServiceAccount(), NodeServiceAccountName()) | |||
There was a problem hiding this comment.
The goal of this PR is so that calico/node is generating new tokens for the CNI plugin's service account, so I think we want to leave this line unchanged.
node/pkg/cni/token_watch.go
Outdated
| return defaultCNIPluginAccountName | ||
| } | ||
|
|
||
| func NodeServiceAccountName() string { |
There was a problem hiding this comment.
I don't think we need this function - we shouldn't ever be doing any actions on the calico-node serviceaccount.
|
/sem-approve |
| @@ -242,3 +284,15 @@ subjects: | |||
| name: calico-node | |||
| namespace: kube-system | |||
| {{- end }} | |||
| kind: ClusterRoleBinding | |||
There was a problem hiding this comment.
I think this can be a RoleBinding since it's only for a single serviceaccount in one namespace.
There was a problem hiding this comment.
In your other PR, this is a RoleBinding: https://github.com/tigera/operator/pull/2393/files#diff-d4d31d15e69aa9a0bad7776e758dfbd50b8e0e1a969fd16719f56c470cac4e7bR316
|
/sem-approve |
1 similar comment
|
/sem-approve |
|
/sem-approve |
|
/sem-approve |
caseydavenport
changed the title
* [calico] Make version 3.26.1 default * [calico] Separate calico-node and calico-cni-plugin service accounts See: projectcalico/calico#7106
* [calico] Make version 3.26.1 default * [calico] Separate calico-node and calico-cni-plugin service accounts See: projectcalico/calico#7106
* [calico] Make version 3.26.1 default * [calico] Separate calico-node and calico-cni-plugin service accounts See: projectcalico/calico#7106
Description
Split of the calico-node account to calico-node and calico-cni-plugin service account.
Related issues/PRs
Todos
Release Note
Reminder for the reviewer
Make sure that this PR has the correct labels and milestone set.
Every PR needs one
docs-*label.docs-pr-required: This change requires a change to the documentation that has not been completed yet.docs-completed: This change has all necessary documentation completed.docs-not-required: This change has no user-facing impact and requires no docs.Every PR needs one
release-note-*label.release-note-required: This PR has user-facing changes. Most PRs should have this label.release-note-not-required: This PR has no user-facing changes.Other optional labels:
cherry-pick-candidate: This PR should be cherry-picked to an earlier release. For bug fixes only.needs-operator-pr: This PR is related to install and requires a corresponding change to the operator.