Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

limit perms for crds #1044

Open
ReSearchITEng opened this issue Jul 3, 2020 · 4 comments
Open

limit perms for crds #1044

ReSearchITEng opened this issue Jul 3, 2020 · 4 comments
Labels
question

Comments

@ReSearchITEng
Copy link
Contributor

Request to access crds is usually a problem for non-admin users.

If we want to drastically limit to crds, what are the smallest list of perms required?

FYI, we have already set:

oc get cm postgres-operator -o yaml | grep crd
  enable_crd_validation: "false"

confirmed by:

oc patch crd postgresqls.acid.zalan.do -p '{"spec":{"validation": null }}'
customresourcedefinition.apiextensions.k8s.io/postgresqls.acid.zalan.do patched (no change)

But we get:

level=error msg="could not create customResourceDefinition \"postgresqls.acid.zalan.do\": customresourcedefinitions.apiextensions.k8s.io is forbidden: User \"system:serviceaccount:pg:postgres-operator\" cannot create resource \"customresourcedefinitions\" in API group \"apiextensions.k8s.io\" at the cluster scope" pkg=controller

Is this the minimum requried perm?

  • apiGroups:
    • apiextensions.k8s.io
      resources:
    • customresourcedefinitions
      verbs:
    • get

PS: related to PR: https://github.com/zalando/postgres-operator/pull/599/files
@ReSearchITEng ReSearchITEng mentioned this issue Jul 3, 2020
Closed
@FxKu
Copy link
Member

FxKu commented Jul 9, 2020

I'm a bit confused. It looks like you want something like our user-facing cluster roles.

Why disable CRD validation? That's to check if submitted manifest contain errors. The last error message has nothing to do with this. It just means the serviceAccount you are using does not have the permission to create a CRD. Have you change the operator cluster role? This one needs to be able to register CRDs and update them.

@FxKu FxKu added the question label Jul 9, 2020
@ReSearchITEng
Copy link
Contributor Author

@FxKu Thanks for clarification on enable_crd_validation .
As for your question:

Have you change the operator cluster role? This one needs to be able to register CRDs and update them.

Yes, we must restrict it to "get" verb only. The serviceAccounts we use (including pg opr serviceAccount) are not allowed to create/update crds. (crd deploy is done by admins, in flow before).
Why would it require? Is it mandatory or maybe we can put a parameter to skip it?

@machine424
Copy link
Contributor

I also would like to prevent the operator from managing the CRDs, we want to the limit the operator ClusterRole permissions and we will deploy multiple postgres-operators so it's better that only admins have control on the CRDs.

Now, the operators log could not create customResourceDefinition, is it ok? they're not running on a degraded mode or something?

Also I would like to know if CRDs change a lot and if backward compatibility is always ensured (I think it's the case), basically I would like to know if using multiple operators is a good idea, I don't want all my pg clusters to rely on the same operators.

Thanks.

@neelasha-09
Copy link
Contributor

@FxKu : We are facing the same issue in our cluster ? how can we avoid it ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@FxKu @ReSearchITEng @machine424 @neelasha-09