Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(server): don't grab SAs if SSO RBAC is not enabled #11426

Merged
merged 1 commit into from
Aug 11, 2023
Merged

fix(server): don't grab SAs if SSO RBAC is not enabled #11426

merged 1 commit into from
Aug 11, 2023

Conversation

agilgur5
Copy link

@agilgur5 agilgur5 commented Jul 24, 2023
edited
Loading

Fixes argoproj/argo-helm#2159, Fixes argoproj/argo-helm#1624

Motivation

  • the ResourceCache creates a ServiceAccountLister informer, but this is only used when RBAC is enabled
    • if RBAC is not enabled, it is not used, and so does not need to be created
    • also, if RBAC is not enabled, the Server's ClusterRole should not require serviceaccount permissions
      • without this change, whenever SSO is enabled, the ClusterRole will require serviceaccount permissions, despite not actually needing it (i.e. not "least privilege")

Modifications

  • only create the ResourceCache when SSO RBAC is enabled

Verification

There's no unit tests for this specific file / for the NewArgoServer function. I might be able to write an E2E test for this, but am still learning that part of the codebase.

  • I think this would require having an alternate manifest that does not have rbac.enabled: true. Then running a subset of the Server E2E tests. Non-trivial change as far as I can tell so far, and may require a decent bit of modifications to the Makefile etc to run a new test + install a new manifest as well 😅

Future Work

I feel like it might make sense to rename / move resource_cache.go? It is only used by SSO RBAC and nothing else right now, as far as I can tell. The name feels misleading as a result as it seems more generic.

@agilgur5
fix(server): don't grab SAs if SSO RBAC is not enabled
3551fec 
- the `ResourceCache` creates a `ServiceAccountLister` `informer`, but this is only used when RBAC is enabled
  - if RBAC is not enabled, it is not used, and so does not need to be created
  - also, if RBAC is not enabled, the Server's `ClusterRole` should not require `serviceaccount` permissions
    - without this change, whenever SSO is enabled, the `ClusterRole` will require `serviceaccount` permissions, despite not actually needing it (i.e. not "least privilege")

Signed-off-by: Anton Gilgur <agilgur5@gmail.com>
@agilgur5
Copy link
Author

I don't think the CI errors here are related as I didn't change the actual manifests and none of the failures are API failures. I assume flaky tests?

@terrytangyuan terrytangyuan enabled auto-merge (squash) July 28, 2023 03:31
@terrytangyuan terrytangyuan disabled auto-merge August 11, 2023 20:41
@terrytangyuan terrytangyuan enabled auto-merge (squash) August 11, 2023 20:45
@terrytangyuan terrytangyuan merged commit 311214c into argoproj:master Aug 11, 2023
@agilgur5 agilgur5 deleted the fix-server-sa-watch branch August 11, 2023 23:47
terrytangyuan pushed a commit that referenced this pull request Aug 13, 2023
@terrytangyuan
fix(server): don't grab SAs if SSO RBAC is not enabled (#11426)
ad92818 
Signed-off-by: Anton Gilgur <agilgur5@gmail.com>
dpadhiar pushed a commit to dpadhiar/argo-workflows that referenced this pull request May 9, 2024
@agilgur5 @dpadhiar
fix(server): don't grab SAs if SSO RBAC is not enabled (argoproj#11426)
4de8764 
Signed-off-by: Anton Gilgur <agilgur5@gmail.com>
Signed-off-by: Dillen Padhiar <dillen_padhiar@intuit.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@terrytangyuan terrytangyuan terrytangyuan approved these changes

Assignees
No one assigned
Labels
area/sso-rbac type/security Security related
Projects
None yet
Milestone
No milestone
2 participants
@agilgur5 @terrytangyuan