Consolidate RBAC for Guardian to handle backend component requests from the management cluster#3969
Conversation
vara2504
force-pushed
the
mf_con_guardian_rbac
branch
from
880721b to
0c20677
Compare
|
|
||
| // CalicoKubeControllersClusterRoleRules defines RBAC rules for calico-kube-controller pods | ||
| // and for guardian to handle kube-controller requests from the management cluster. | ||
| func CalicoKubeControllersClusterRoleRules(isEnterpriseCluster bool, isOpenShift bool, isManagedCluster bool) []rbacv1.PolicyRule { |
There was a problem hiding this comment.
In our existing code, we have some common functions within kubecontroller for building the ClusterRole rules used by both calico-kube-controllers and es-calico-kube-controllers, which are passed into the renderer via cfg.
To enable reuse between kube-controllers and Guardian, I’ve moved these functions to a common file under render.
There was a problem hiding this comment.
Could guardian not just import these from pkg/render/kubecontrollers?
Guessing there was an import cycle? Best way to fix it would likely be to have pkg/render/guardian/guardian.go?
There was a problem hiding this comment.
Yes, it’s to avoid an import cycle.
I moved it into a common function to prevent duplicating the same code in both Guardian and KubeController, which would otherwise require updates in two separate places in the future.
There was a problem hiding this comment.
I think these should still be in the kubecontrollers package, and guardian should be a new guardian package in order to fix this - otherwise these are outliers compared to how we do permissions for everything else.
Happy for that to be another PR though.
caseydavenport
left a comment
caseydavenport
left a comment
There was a problem hiding this comment.
Thanks @vara2504 - added some thoughts
|
|
||
| // CalicoKubeControllersClusterRoleRules defines RBAC rules for calico-kube-controller pods | ||
| // and for guardian to handle kube-controller requests from the management cluster. | ||
| func CalicoKubeControllersClusterRoleRules(isEnterpriseCluster bool, isOpenShift bool, isManagedCluster bool) []rbacv1.PolicyRule { |
There was a problem hiding this comment.
Could guardian not just import these from pkg/render/kubecontrollers?
Guessing there was an import cycle? Best way to fix it would likely be to have pkg/render/guardian/guardian.go?
vara2504
changed the title
vara2504
force-pushed
the
mf_con_guardian_rbac
branch
from
268653d to
2f74da1
Compare
vara2504
force-pushed
the
mf_con_guardian_rbac
branch
from
2f74da1 to
e210655
Compare
caseydavenport
changed the title
vara2504
force-pushed
the
mf_con_guardian_rbac
branch
from
ef2773a to
d41d6bb
Compare
|
@caseydavenport Since these changes affect only the backend components of the management cluster, no documentation or release notes are required |
caseydavenport
added
release-note-not-required
and removed
release-note-required
labels
3 participants
Consolidates the necessary RBAC in the managed cluster into a single Guardian identity to handle all backend requests from the management cluster.
Guardian will handle the request made behalf of the following service accounts form management cluster for enterprise.
system:serviceaccount:calico-system:calico-kube-controllers
system:serviceaccount:tigera-elasticsearch:tigera-linseed
system:serviceaccount:tigera-intrusion-detection:intrusion-detection-controller
system:serviceaccount:tigera-manager:tigera-manager
system:serviceaccount:tigera-policy-recommendation:tigera-policy-recommendation
Description
For PR author
make gen-filesmake gen-versionsFor PR reviewers
A note for code reviewers - all pull requests must have the following:
kind/bugif this is a bugfix.kind/enhancementif this is a a new feature.enterpriseif this PR applies to Calico Enterprise only.