Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add rights to access licenkeys for kube-controller #1247

Merged
merged 1 commit into from
Mar 30, 2021
Merged

Add rights to access licenkeys for kube-controller #1247

merged 1 commit into from
Mar 30, 2021

Conversation

asincu
Copy link
Contributor

@asincu asincu commented Mar 29, 2021

Description

Adding rights to list/watch/get licensekeys from a management cluster and create/update from a managed cluster.

For PR author

  • Tests for change.
  • If changing pkg/apis/, run make gen-files
  • If changing versions, run make gen-versions

For PR reviewers

A note for code reviewers - all pull requests must have the following:

  • Milestone set according to targeted release.
  • Appropriate labels:
    • kind/bug if this is a bugfix.
    • kind/enhancement if this is a a new feature.
    • enterprise if this PR applies to Calico Enterprise only.

@marvin-tigera marvin-tigera added this to the v1.16.0 milestone Mar 29, 2021
rene-dekker
rene-dekker approved these changes Mar 30, 2021
View reviewed changes
Copy link
Member

@rene-dekker rene-dekker left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@asincu asincu merged commit 83f1761 into tigera:master Mar 30, 2021
@asincu asincu deleted the add_license_rights branch March 30, 2021 00:09
tmjd
tmjd reviewed Mar 30, 2021
View reviewed changes
pkg/render/kube-controllers.go
@@ -283,6 +289,14 @@ func (c *kubeControllersComponent) controllersRole() *rbacv1.ClusterRole {
Verbs: []string{"create"},
})
}

if c.managementClusterConnection != nil {
role.Rules = append(role.Rules, rbacv1.PolicyRule{
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How does this work since the actual create/update comes from the management cluster?
Does guardian impersonate kube-controller in the managed cluster, so operator in the managed cluster needs to give kube-controller permissions to create/update the licensekeys even though the kube-controller in the managed cluster won't be doing anything with licenses.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, all API requests that pass through the tunnel use impersonation.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That is right. Guardian impersonates ckc and for this the role should be present.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tmjd tmjd tmjd left review comments

@rene-dekker rene-dekker rene-dekker approved these changes

Assignees
No one assigned
Labels
docs-pr-required release-note-required
Projects
None yet
Milestone
v1.16.0
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@asincu @tmjd @rene-dekker @marvin-tigera