New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: Reduce permissions for system-upgrade-controller serviceaccount #288
feat: Reduce permissions for system-upgrade-controller serviceaccount #288
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Before we merge that, I had one more thought: Currently the controller installs its own CRDs if they aren't present in the cluster. So maybe it needs some more permissions for creating CRDs? (I install them separately as part of the kustomization, so it wasn't a thing for me.) |
How does the controller handle the failure if the CRDs don't exist, or are out of sync, and it doesn't have permission to create or update them? If we're going to remove permission to create CRDs, we probably need a CLI flag to disable managing them. |
If it can't read crds directly, it just assumes they exist and assumes it's all fine. We could include the CRD itself into the kustomize output. |
Can you rebase this on top of current master so that CI can finish? |
891736e
to
a04cd50
Compare
There we go :) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you remove the changes to the image/taq kustomization from this PR? I'm not understanding what those have to do with the RBAC; if you want to change that, please open another PR.
This patch drastically cuts down the permissions of the system-upgrades-controller from the previous cluster-admin permissions to a tailored set of permissions for the controller.
a04cd50
to
ba5c781
Compare
They had nothing to do with the change, just cleaning up along the way. Undid them for now :) |
….13.3 ) (patch) (#4296) This PR contains the following updates: | Package | Update | Change | |---|---|---| | [docker.io/rancher/system-upgrade-controller](https://togithub.com/rancher/system-upgrade-controller) | patch | `v0.13.2` -> `v0.13.3` | | [rancher/system-upgrade-controller](https://togithub.com/rancher/system-upgrade-controller) | patch | `v0.13.2` -> `v0.13.3` | --- > [!WARNING] > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. --- ### Release Notes <details> <summary>rancher/system-upgrade-controller (docker.io/rancher/system-upgrade-controller)</summary> ### [`v0.13.3`](https://togithub.com/rancher/system-upgrade-controller/releases/tag/v0.13.3) [Compare Source](https://togithub.com/rancher/system-upgrade-controller/compare/v0.13.2...v0.13.3) #### What's Changed - Propagate labels and annotations from plans to jobs by [@​sfackler](https://togithub.com/sfackler) in [rancher/system-upgrade-controller#286 - Add a Complete condition to plans by [@​sfackler](https://togithub.com/sfackler) in [rancher/system-upgrade-controller#292 - feat: Reduce permissions for system-upgrade-controller serviceaccount by [@​SISheogorath](https://togithub.com/SISheogorath) in [rancher/system-upgrade-controller#288 - Bump mods by [@​brandond](https://togithub.com/brandond) in [rancher/system-upgrade-controller#293 #### New Contributors - [@​sfackler](https://togithub.com/sfackler) made their first contribution in [rancher/system-upgrade-controller#286 - [@​SISheogorath](https://togithub.com/SISheogorath) made their first contribution in [rancher/system-upgrade-controller#288 **Full Changelog**: rancher/system-upgrade-controller@v0.13.2...v0.13.3 </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about these updates again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://togithub.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4yMTkuNyIsInVwZGF0ZWRJblZlciI6IjM3LjIxOS43IiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9--> Co-authored-by: lumiere-bot[bot] <98047013+lumiere-bot[bot]@users.noreply.github.com>
…v0.13.2 → v0.13.3 ) (#4295) This PR contains the following updates: | Package | Update | Change | |---|---|---| | [docker.io/rancher/system-upgrade-controller](https://togithub.com/rancher/system-upgrade-controller) | patch | `v0.13.2` -> `v0.13.3` | --- > [!WARNING] > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. --- ### Release Notes <details> <summary>rancher/system-upgrade-controller (docker.io/rancher/system-upgrade-controller)</summary> ### [`v0.13.3`](https://togithub.com/rancher/system-upgrade-controller/releases/tag/v0.13.3) [Compare Source](https://togithub.com/rancher/system-upgrade-controller/compare/v0.13.2...v0.13.3) #### What's Changed - Propagate labels and annotations from plans to jobs by [@​sfackler](https://togithub.com/sfackler) in [rancher/system-upgrade-controller#286 - Add a Complete condition to plans by [@​sfackler](https://togithub.com/sfackler) in [rancher/system-upgrade-controller#292 - feat: Reduce permissions for system-upgrade-controller serviceaccount by [@​SISheogorath](https://togithub.com/SISheogorath) in [rancher/system-upgrade-controller#288 - Bump mods by [@​brandond](https://togithub.com/brandond) in [rancher/system-upgrade-controller#293 #### New Contributors - [@​sfackler](https://togithub.com/sfackler) made their first contribution in [rancher/system-upgrade-controller#286 - [@​SISheogorath](https://togithub.com/SISheogorath) made their first contribution in [rancher/system-upgrade-controller#288 **Full Changelog**: rancher/system-upgrade-controller@v0.13.2...v0.13.3 </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://togithub.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4yMTkuNyIsInVwZGF0ZWRJblZlciI6IjM3LjIxOS43IiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9--> Co-authored-by: lumiere-bot[bot] <98047013+lumiere-bot[bot]@users.noreply.github.com>
This patch drastically cuts down the permissions of the system-upgrades-controller from the previous cluster-admin permissions to a tailored set of permissions for the controller.