Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make admin privileges configurable #89

Merged
merged 1 commit into from
Sep 28, 2023
Merged

Make admin privileges configurable #89

merged 1 commit into from
Sep 28, 2023

Conversation

ymmt2005
Copy link
Member

@ymmt2005 ymmt2005 commented Sep 27, 2023
edited
Loading

Fix #82.

With this change, we stop granting the below permission to the
accurate controller.

  - apiGroups:
      - '*'
    resources:
      - '*'
    verbs:
      - get
      - list
      - watch

Also, we make the ClusterRole admin optional.
The Helm chart now takes optional ClusterRoles to be granted.

@ymmt2005 ymmt2005 self-assigned this Sep 27, 2023
@ymmt2005 ymmt2005 force-pushed the remove-too-permissive-rbac branch 5 times, most recently from 9c19f30 to 2b50aa1 Compare September 27, 2023 08:12
@ymmt2005 ymmt2005 marked this pull request as ready for review September 27, 2023 08:18
ymmt2005
ymmt2005 commented Sep 27, 2023
View reviewed changes
README.md
@@ -49,7 +49,11 @@ Run and try Accurate on a [kind (Kubernetes-In-Docker)][kind] cluster as follows

3. Install [aqua][].

https://aquaproj.github.io/docs/tutorial-basics/quick-start
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This page no longer exists.

@morimoto-cybozu
Copy link

@ymmt2005
Don't we need to remove //+kubebuilder:rbac:... from controllers/propagate.go?

@ymmt2005
Make admin privileges configurable
f8bff61 
Fix #82.

With this change, we stop granting the below permission to the
accurate controller.

```yaml
  - apiGroups:
      - '*'
    resources:
      - '*'
    verbs:
      - get
      - list
      - watch
```

Also, we make the ClusterRole admin optional.
The Helm chart now takes optional ClusterRoles to be granted.
@ymmt2005 ymmt2005 force-pushed the remove-too-permissive-rbac branch from 2b50aa1 to f8bff61 Compare September 27, 2023 13:21
erikgb
erikgb suggested changes Sep 27, 2023
View reviewed changes
Copy link
Contributor

@erikgb erikgb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The changes look good to me, but I think this should be removed: https://github.com/cybozu-go/accurate/blob/main/controllers/propagate.go#L57, and then run controller-gen.

charts/accurate/values.yaml Show resolved Hide resolved
@ymmt2005
Copy link
Member Author

Thanks. Updated.

erikgb
erikgb approved these changes Sep 27, 2023
View reviewed changes
Copy link
Contributor

@erikgb erikgb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

morimoto-cybozu
morimoto-cybozu approved these changes Sep 28, 2023
View reviewed changes
Copy link

@morimoto-cybozu morimoto-cybozu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@ymmt2005 ymmt2005 merged commit 7573c38 into main Sep 28, 2023
8 checks passed
@ymmt2005 ymmt2005 deleted the remove-too-permissive-rbac branch September 28, 2023 00:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@morimoto-cybozu morimoto-cybozu morimoto-cybozu approved these changes

@erikgb erikgb erikgb approved these changes

@zoetrope zoetrope Awaiting requested review from zoetrope

@zeroalphat zeroalphat Awaiting requested review from zeroalphat

@d-kuro d-kuro Awaiting requested review from d-kuro

Assignees

@ymmt2005 ymmt2005

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Controller RBAC is too permissive
3 participants
@ymmt2005 @morimoto-cybozu @erikgb