-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
helm: clusterrole to add objectbucketclaims to user facing roles #12329
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The OBCs already have rbac defined in the rook-ceph-object-bucket clusterrole. Do we just need to make the labels on the clusterrole configurable? The new clusterroles seem duplicative of the existing clusterrole.
this clusterrole grants too many things as it is "Used for provisioning ObjectBuckets (OBs) in response to ObjectBucketClaims (OBCs) ", (ie. it is used by the operator to implement an obc into an ob+secret) the idea of those "user facing" clusterrole (view,edit,admin) are to be granted to a user to manage his application in a namespace (with a RoleBinding), so only namespaced resources [1], to consume those resources. in "plain" words, as a user limited to a namespace, I need a bucket (obc) and attach it to my application (using the AK/SK in the secret created with the ob). The parallel of pv/pvc/storageclass in the default "view/edit" clusterrole (kubectl get clusterrole view) : apiGroups:
- ""
resources:
...
- persistentvolumeclaims
- persistentvolumeclaims/status
verbs:
- get
- list
- watch with only persistentvolumeclaims and not persistentvolume or storageclass. definition of edit/admin/view:
[1]: I did not include resources like cephblockpools, while they are namespaces, I don't consider a "standard" user (ie. not a cluster admin) would deploy those anyway |
regarding the Integration test CephUpgradeSuite, |
@jouve could you provide more context about the specifics of what these changes intend? I don't doubt that many of our RBAC resources could be improved a little, but I'm concerned that these changes might be specifically targeted toward users in your cluster and not something that would be helpful for all Rook users. |
Let's assume 2 kinds of users in a cluster:
k8s defines roles, that it calls "user facing roles" to support this model : https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles
k8s also completes "admin" with 2 other roles:
To make this easier to use with custom resources, k8s does embed a controller so that clusterrole with the annotation that way, the admin only need to grant admin/edit/view to "standard" users once, and fix admin/edit/view roles for new custom resources (using the mechanism described above). => this model is provided by k8s, not "my" model. objectbucketclaim being the object storage equivalent of pvc (pvc is in the admin/edit/view) , I think it's safe to add have the feature to add it to the 3 roles admin/view/edit (disabled by default in this PR for backward compatibility). for example: a "standard" (with role admin in his namespace) user deploy nextcloud (a file hosting app, like google drive) in his namespace, nextclound can use filesystem storage or object storage as a backend:
|
This pull request has been automatically marked as stale because it has not had recent activity. It will be closed in two weeks if no further activity occurs. Thank you for your contributions. |
This pull request has been automatically closed due to inactivity. Please re-open if these changes are still required. |
@jouve any updates |
thanks for reopening :) what would be needed to progress ? |
Is there changes needed to add or you are waiting for the reviews |
I replied to @travisn and @BlaineEXE. Idk if they were convinced ?! |
This pull request has been automatically marked as stale because it has not had recent activity. It will be closed in two weeks if no further activity occurs. Thank you for your contributions. |
deploy/charts/rook-ceph/values.yaml
Outdated
@@ -55,6 +55,10 @@ logLevel: INFO | |||
# -- If true, create & use RBAC resources | |||
rbacEnable: true | |||
|
|||
rbacAggregate: | |||
# -- If true, create a ClusterRole aggregated to [user facing roles](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles) | |||
enabled: false |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The roles are currently very specific to OBCs. Perhaps this setting should be more specific to OBCs, and if any other RBAC is aggregated in the future, they would have separate settings. What about this?
rbacAggregate:
enableOBCs: true
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
@@ -0,0 +1,35 @@ | |||
{{- if .Values.rbacAggregate.enabled }} | |||
apiVersion: rbac.authorization.k8s.io/v1 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Are these roles automatically added to any k8s user in the view/edit group, or are they only enabled for users after more admin control? I wonder if it could be easier to include these as default roles created by Rook, which would not add complexity to the helm chart. As long as doing so wouldn't accidentally give users extra permissions, maybe we should consider that.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the roles are added to the cluster roles view / edit / admin respectively thanks to the ClusterRole aggregation.
view/edit/admin are default roles of the ClusterRole aggregator.
then a "human" admin binds those role to users in a namespace (using rolebinding), so it's disabled by default to ensure backward compatibility.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please squash the commits and also add a description paragraph as described in the commit structure. Otherwise, LGTM
add view & edit ClusterRole for obc. the roles are added to the default user facing roles view / edit / admin respectively using k8s ClusterRole aggregation. feature disabled for backward compatibility and controlled with rbacAggregate.enableOBCs. Signed-off-by: Cyril Jouve <jv.cyril@gmail.com>
helm: clusterrole to add objectbucketclaims to user facing roles (backport #12329)
Description of your changes:
create rbac to view/edit objectbucketclaim and aggregate to user facing roles
view/edit/admin clusterroles are bound to a user & namespace, to manage said namespace, and are now able to create a bucket with this change.
example for cert-manager or elastic-operator
Which issue is resolved by this Pull Request:
Resolves #
Checklist:
skip-ci
on the PR.