Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Document some of the Antrea Agent RBAC permissions #3694

Merged
merged 1 commit into from
Apr 29, 2022
Merged

Document some of the Antrea Agent RBAC permissions #3694

merged 1 commit into from
Apr 29, 2022

Conversation

antoninbas
Copy link
Contributor

And how to restrict them using Gatekeeper / OPA.

Signed-off-by: Antonin Bas [email protected]

@antoninbas antoninbas added the kind/documentation Categorizes issue or PR as related to a documentation. label Apr 27, 2022
@antoninbas
Copy link
Contributor Author

I tested the Gatekeeper policies on a test cluster.

Starting with K8s v1.24, kubectl supports a --subresource flag and the following commands can be run from the antrea-agent Pod for validation:

# should succeed
kubectl patch --type='json' --subresource status node/<NODE_NAME> -p '[{"op":"add","path":"/metadata/annotations/foo","value": "bar"}]'
# should fail
kubectl patch --type='json' --subresource status node/<NODE_NAME> -p '[{"op":"add","path":"/metadata/labels/foo","value": "bar"}]'

@antoninbas antoninbas added this to the Antrea v1.7 release milestone Apr 27, 2022
@codecov-commenter
Copy link

codecov-commenter commented Apr 27, 2022
edited
Loading

Codecov Report

Merging #3694 (5019cca) into main (af56766) will decrease coverage by 11.98%.
The diff coverage is n/a.

Impacted file tree graph

@@             Coverage Diff             @@
##             main    #3694       +/-   ##
===========================================
- Coverage   64.53%   52.54%   -11.99%     
===========================================
  Files         278      392      +114     
  Lines       39510    55085    +15575     
===========================================
+ Hits        25497    28945     +3448     
- Misses      12038    23818    +11780     
- Partials     1975     2322      +347
Flag Coverage Δ
integration-tests 38.01% <ø> (?)
kind-e2e-tests 39.75% <ø> (-12.36%) ⬇️
unit-tests 43.83% <ø> (-0.04%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files Coverage Δ
pkg/agent/controller/networkpolicy/reject.go 0.00% <0.00%> (-85.89%) ⬇️
...g/agent/apiserver/handlers/featuregates/handler.go 4.54% <0.00%> (-77.28%) ⬇️
pkg/agent/controller/networkpolicy/packetin.go 0.00% <0.00%> (-66.91%) ⬇️
pkg/controller/networkpolicy/mutate.go 0.00% <0.00%> (-63.48%) ⬇️
pkg/apis/controlplane/v1beta2/helper.go 40.00% <0.00%> (-60.00%) ⬇️
pkg/controller/egress/store/egressgroup.go 1.72% <0.00%> (-54.32%) ⬇️
pkg/apiserver/handlers/webhook/mutation_crd.go 0.00% <0.00%> (-52.18%) ⬇️
...kg/apiserver/registry/system/supportbundle/rest.go 22.17% <0.00%> (-50.44%) ⬇️
pkg/util/logdir/logdir.go 0.00% <0.00%> (-50.00%) ⬇️
pkg/support/dump.go 7.90% <0.00%> (-49.16%) ⬇️
... and 179 more

xliuxu
xliuxu reviewed Apr 28, 2022
View reviewed changes
docs/security.md Outdated Show resolved Hide resolved
tnqn
tnqn reviewed Apr 28, 2022
View reviewed changes
Copy link
Member

@tnqn tnqn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM except the typo Xu pointed out

@antoninbas
Document some of the Antrea Agent RBAC permissions
5019cca 
And how to restrict them using Gatekeeper / OPA.

Co-authored-by: Yuval Avrahami <[email protected]>
Signed-off-by: Antonin Bas <[email protected]>
@antoninbas antoninbas force-pushed the document-how-to-restict-antrea-agent-permissions-with-opa-gatekeeper branch from 8cf948c to 5019cca Compare April 28, 2022 19:33
@antoninbas antoninbas requested review from tnqn and xliuxu April 28, 2022 19:33
xliuxu
xliuxu approved these changes Apr 29, 2022
View reviewed changes
Copy link
Contributor

@xliuxu xliuxu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@antoninbas
Copy link
Contributor Author

/skip-all

@antoninbas antoninbas merged commit 9828398 into antrea-io:main Apr 29, 2022
@antoninbas antoninbas deleted the document-how-to-restict-antrea-agent-permissions-with-opa-gatekeeper branch April 29, 2022 17:15
@antoninbas antoninbas mentioned this pull request Apr 29, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@xliuxu xliuxu xliuxu approved these changes

@tnqn tnqn tnqn approved these changes

Assignees
No one assigned
Labels
kind/documentation Categorizes issue or PR as related to a documentation.
Projects
None yet
Milestone
Antrea v1.7 release
Development

Successfully merging this pull request may close these issues.
4 participants
@antoninbas @codecov-commenter @tnqn @xliuxu