Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Compass Manager - Improve RBACs resources #155

Closed
koala7659 opened this issue Apr 9, 2024 · 0 comments
Closed

Compass Manager - Improve RBACs resources #155

koala7659 opened this issue Apr 9, 2024 · 0 comments
Assignees
@VOID404 @mvshao
Labels
area/control-plane Related to all activities around Kyma Control Plane kind/feature Categorizes issue or PR as related to a new feature.

Comments

@koala7659
Copy link
Contributor

koala7659 commented Apr 9, 2024
edited
Loading

Description:

We need to improve RBACs resources with following aspects:

  1. Apply SRE suggestions from review of RBAC report and replace some ClusterRoles with Roles in our RBAC charts since some resources like Kyma CR are not cluster scoped so that we does not need ClusterRoles to manage them.
  2. Add RBACs to CompassManagerMappings to protect them from being accidentally removed

Reasons:

Ad. 1

Discussion with SRE before rollout to PROD.

Ad. 2

In our documentation to compass-manager we can read
We must remember to correctly set up RBAC for the Compass Manager Mapping CRD. Developers should be able to view the CompassManagerMapping resources but not modify or delete them.
@koala7659 koala7659 added area/control-plane Related to all activities around Kyma Control Plane kind/feature Categorizes issue or PR as related to a new feature. labels Apr 9, 2024
@koala7659 koala7659 self-assigned this Apr 18, 2024
@Disper Disper assigned mvshao and unassigned koala7659 May 2, 2024
@mvshao mvshao mentioned this issue May 9, 2024
Merged
kyma-bot added a commit that referenced this issue May 13, 2024
@kyma-bot
Limit privilege scope for Compass Manager (#167)
88072e3 
<!-- Thank you for your contribution. Before you submit the pull
request:
1. Follow contributing guidelines, templates, the recommended Git
workflow, and any related documentation.
2. Read and submit the required Contributor Licence Agreements
(https://github.com/kyma-project/community/blob/main/CONTRIBUTING.md#agreements-and-licenses).
3. Test your changes and attach their results to the pull request.
4. Update the relevant documentation.

If the pull request requires a decision, follow the [decision-making
process](https://github.com/kyma-project/community/blob/main/governance.md)
and replace the PR template with the [decision record
template](https://github.com/kyma-project/community/blob/main/.github/ISSUE_TEMPLATE/decision-record.md).
-->

**Description**
Limit scope for Compass Manager from cluster-wide to namespace-wide
(kcp-system) privileges

Changes proposed in this pull request:

- change RBACs from `ClusterRole` to `Role` 
- code adjustments to restrict the controller to only work in kcp-system
namespace context

**Related issue(s)**
#155
@Disper Disper assigned VOID404 and unassigned mvshao May 15, 2024
@mvshao mvshao self-assigned this May 16, 2024
@mvshao mvshao closed this as completed May 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@VOID404 VOID404

@mvshao mvshao

Labels
area/control-plane Related to all activities around Kyma Control Plane kind/feature Categorizes issue or PR as related to a new feature.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@VOID404 @koala7659 @mvshao