Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fine tune rbac #1109

Merged
merged 2 commits into from
Jun 16, 2018
Merged

fine tune rbac #1109

merged 2 commits into from
Jun 16, 2018

Conversation

rootfs
Copy link
Contributor

@rootfs rootfs commented Jun 8, 2018

Fixes #1095

Proposed Changes

add cluster role (admin, read, write) to replace cluster-admin

Release Note

Fine tune Clusterrole and Clusterrolebindings

@google-prow-robot google-prow-robot added the size/M Denotes a PR that changes 30-99 lines, ignoring generated files. label Jun 8, 2018
@rootfs
Copy link
Contributor Author

rootfs commented Jun 8, 2018

/assign @jonjohnsonjr

@rootfs
Copy link
Contributor Author

rootfs commented Jun 8, 2018

/assign @evankanderson

@grantr
Copy link
Contributor

grantr commented Jun 8, 2018

/retest

@grantr grantr requested a review from josephburnett June 8, 2018 18:31
@grantr
Copy link
Contributor

grantr commented Jun 8, 2018

I don't know enough about RBAC rules to review this correctly. @rootfs, how were these rules generated?

The integration test failure seems legitimate BTW. I see errors like:

Failed to list *v1alpha1.Build: builds.build.dev is forbidden: User "system:serviceaccount:knative-serving-system:controller" cannot list builds.build.dev at the cluster scope: Unknown user "system:serviceaccount:knative-serving-system:controller"

@rootfs are you able to see the integration test logs?

@rootfs
Copy link
Contributor Author

rootfs commented Jun 8, 2018

@grantr no, i cannot (no google account). I generated the rules manually by reading the code and finding what resources are being used. It is highly probable I missed some (and thus DNM tag). I am still new to knative, so bear with me for the moment.

@rootfs
Copy link
Contributor Author

rootfs commented Jun 8, 2018

@grantr added eventing and build crd api groups, let's how the tests go

@grantr
Copy link
Contributor

grantr commented Jun 8, 2018

@rootfs It's not ideal, but there's a workaround for seeing the test logs without a google account by composing a URL to a GCS object. See https://github.com/knative/serving/blob/master/community/REVIEWING.md#viewing-test-logs.

@rootfs rootfs changed the title [DNM] fine tune rbac [WIP] fine tune rbac Jun 8, 2018
@google-prow-robot google-prow-robot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jun 8, 2018
@rootfs rootfs force-pushed the rbac branch 2 times, most recently from f4560a3 to 78378a7 Compare June 11, 2018 14:57
@rootfs rootfs force-pushed the rbac branch 2 times, most recently from 6577498 to c745281 Compare June 15, 2018 17:25
@rootfs rootfs changed the title [WIP] fine tune rbac fine tune rbac Jun 15, 2018
@google-prow-robot google-prow-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jun 15, 2018
Signed-off-by: Huamin Chen <[email protected]>
@rootfs
Copy link
Contributor Author

rootfs commented Jun 15, 2018

@grantr @mattmoor @jonjohnsonjr PTAL, thanks

@rootfs
Copy link
Contributor Author

rootfs commented Jun 15, 2018

/assign @evankanderson

- apiGroups: ["build.dev"]
resources: ["builds", "buildtemplates"]
verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
- apiGroups: ["feeds.knative.dev"]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should these be part of this repo? Probably eventing permissions should go in a separate service account for eventing controllers. WDYT @vaikas-google?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think so, they should be part of eventing and I think builds above should also be part of the build repo?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

build has to be here, because revision references it here

eventing can be separate.

Signed-off-by: Huamin Chen <[email protected]>
Copy link
Contributor

@grantr grantr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
Thanks for getting to to pass @rootfs!

It's toil to have to create and update this when we need new permissions. I wish these rules could be generated. https://github.com/kubernetes-sigs/kubebuilder can generate roles based on comments in the controller definition, which seems preferable to having them here.

Since we don't have that, I think it would be a good idea to add a comment near the controllers (I'm not sure where since controllers are in flux right now) saying that these rules should be kept in sync as new resources are used.

@google-prow-robot google-prow-robot added the lgtm Indicates that a PR is ready to be merged. label Jun 15, 2018
@rootfs
Copy link
Contributor Author

rootfs commented Jun 15, 2018

yes, a rule generator is surely helpful.

In the meantime, I'll dig into rbac in eventing.

Copy link
Member

@evankanderson evankanderson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/approve

I'd like to tighten these up further outside of serving. knative.dev, but this seems like a good start.

Should we also have suggested/example roles for the developer and operator personas? Probablya separate file and PR, though.

rules:
- apiGroups: [""]
resources: ["pods", "namespaces", "secrets", "configmaps", "endpoints", "services", "events", "serviceaccounts"]
verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this need to create service accounts?

This seems fine for a first pass, but it definitely shows how little we've been thinking about least privilege.

resources: ["mutatingwebhookconfigurations"]
verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why does the controller need create/update on custom resource definitions?

resources: ["customresourcedefinitions"]
verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
- apiGroups: ["serving.knative.dev"]
resources: ["configurations", "configurationgenerations", "routes", "revisions", "revisionuids", "autoscalers", "services"]
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can this be "*"?

resources: ["ingresses","deployments"]
verbs: ["get", "list", "update", "patch", "watch"]
- apiGroups: ["apps"]
resources: ["deployments", "statefulsets"]
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why statefulsets?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(and above)

verbs: ["get", "list", "update", "patch", "watch"]
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["mutatingwebhookconfigurations"]
verbs: ["get", "list", "update", "patch", "watch"]
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why update and patch for the autoscaler?

@google-prow-robot
Copy link

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: evankanderson, rootfs

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@google-prow-robot google-prow-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jun 16, 2018
@google-prow-robot google-prow-robot merged commit 4d497a2 into knative:master Jun 16, 2018
@rootfs rootfs mentioned this pull request Jul 17, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants