Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

✨ optimize rbac across controllers #10552

Merged
merged 4 commits into from
May 17, 2024
Merged

✨ optimize rbac across controllers #10552

merged 4 commits into from
May 17, 2024

Conversation

chrischdi
Copy link
Member

@chrischdi chrischdi commented May 3, 2024
edited
Loading

What this PR does / why we need it:

I reviewed and changed some permissions to harden RBAC for our controllers.

RBAC removals:

Controller Object Old permissions New permissions
Core CAPI clusters create/delete/get/list/patch/update/watch get/list/patch/update/watch
Core CAPI clusters/status create/delete/get/list/patch/update/watch get/list/patch/update/watch
Core CAPI clusters/finalizers create/delete/get/list/patch/update/watch get/list/patch/update/watch
Core CAPI nodes create/delete/get/list/patch/update/watch none *
Core CAPI events create/delete/get/list/patch/update/watch create
kubeadm bootsrap events create/delete/get/list/patch/update/watch create
kubeadm control-plane events create/delete/get/list/patch/update/watch create
kubeadm bootstrap kubeadmconfigs/finalizers ? none *2
Core CAPI clusterresourcesets/finalizers ? none *2
Core CAPI machinepools/finalizers ? none *2
Core CAPI clusters/finalizers ? none *2
Core CAPI machines/finalizers ? none *2
Core CAPI machinedeployments/finalizers ? none *2
Core CAPI machinehealthchecks/finalizers ? none *2
Core CAPI machinesets/finalizers ? none *2
Core CAPI machinedeployments/finalizers ? none *2
Core CAPI machinesets/finalizers ? none *2
CAPD dockermachinepools/finalizers ? none *2
CAPD dockermachinepools/finalizers ? none *2
CAPD dockerclusters/finalizers ? none *2
CAPD dockermachines/finalizers ? none *2
InMemory inmemoryclusters/finalizers ? none *2
InMemory inmemorymachines/finalizers ? none *2

*: this is okay, because for accessing nodes on managed clusters we always use the admin credentials and it is not related to rbac inside the management cluster (also for self-hosted).

*2: this is okay, because we never use the subresource for adding/removing finalizers

RBAC alignment (adding update where patch is already allowed or adding get and watch where list is already allowed, xref)

Controller Object Old permissions New permissions
kubeadm control-plane machinepools list get/list/watch
Core CAPI configmaps get/list/watch/patch get/list/watch/patch/update
Core CAPI secrets get/list/watch/patch get/list/watch/patch/update

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):

Part of #6554

Note: I did use controller-gen from kubernetes-sigs/controller-tools#937 to get a deduplicated output.
On top the following query helps to get a comparable output which can be pasted to google sheets or similar:

for f in $(find . -iname role.yaml | grep config); do cat $f | yq '.rules[] | . as $parent | ($parent.apiGroups | join ";") + "," + .resources[] + "," + (.verbs | join ";")' | sort | sed 's#^#'$f',#'; done

Note: kubernetes-sigs/controller-tools#937 would help to deduplicate and cleanup the resulting clusterroles/roles so they are better in getting compared or audited.

/area api

(there was no perfect matching area, alternative would be adding all areas of the controllers)

@k8s-ci-robot k8s-ci-robot added area/api Issues or PRs related to the APIs cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels May 3, 2024
@chrischdi chrischdi changed the title ✨ optimize rbac across controllers [wip] ✨ optimize rbac across controllers May 3, 2024
@k8s-ci-robot k8s-ci-robot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label May 3, 2024
@chrischdi
Copy link
Member Author

/test help

@k8s-ci-robot
Copy link
Contributor

@chrischdi: The specified target(s) for /test were not found.
The following commands are available to trigger required jobs:

  • /test pull-cluster-api-build-main
  • /test pull-cluster-api-e2e-blocking-main
  • /test pull-cluster-api-e2e-conformance-ci-latest-main
  • /test pull-cluster-api-e2e-conformance-main
  • /test pull-cluster-api-e2e-dualstack-and-ipv6-main
  • /test pull-cluster-api-e2e-main
  • /test pull-cluster-api-e2e-mink8s-main
  • /test pull-cluster-api-e2e-upgrade-1-30-1-31-main
  • /test pull-cluster-api-test-main
  • /test pull-cluster-api-test-mink8s-main
  • /test pull-cluster-api-verify-main

The following commands are available to trigger optional jobs:

  • /test pull-cluster-api-apidiff-main

Use /test all to run the following jobs that were automatically triggered:

  • pull-cluster-api-apidiff-main
  • pull-cluster-api-build-main
  • pull-cluster-api-e2e-blocking-main
  • pull-cluster-api-test-main
  • pull-cluster-api-verify-main

In response to this:

/test help

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@chrischdi
Copy link
Member Author

/test pull-cluster-api-e2e-conformance-ci-latest-main
/test pull-cluster-api-e2e-conformance-main
/test pull-cluster-api-e2e-dualstack-and-ipv6-main
/test pull-cluster-api-e2e-main
/test pull-cluster-api-e2e-mink8s-main
/test pull-cluster-api-e2e-upgrade-1-30-1-31-main

@chrischdi
Copy link
Member Author

/test pull-cluster-api-e2e-conformance-ci-latest-main
/test pull-cluster-api-e2e-conformance-main
/test pull-cluster-api-e2e-dualstack-and-ipv6-main
/test pull-cluster-api-e2e-main
/test pull-cluster-api-e2e-mink8s-main
/test pull-cluster-api-e2e-upgrade-1-30-1-31-main

@chrischdi
Copy link
Member Author

@chrischdi: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
pull-cluster-api-e2e-main 47ec791 link true /test pull-cluster-api-e2e-main
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Failure is I think related to #10530

/test pull-cluster-api-e2e-main

@chrischdi chrischdi changed the title [wip] ✨ optimize rbac across controllers ✨ optimize rbac across controllers May 7, 2024
@k8s-ci-robot k8s-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label May 7, 2024
@chrischdi
Copy link
Member Author

Let's do another round of tests

/test pull-cluster-api-e2e-main

@k8s-ci-robot k8s-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels May 7, 2024
@chrischdi
Copy link
Member Author

/test pull-cluster-api-e2e-conformance-ci-latest-main
/test pull-cluster-api-e2e-conformance-main
/test pull-cluster-api-e2e-dualstack-and-ipv6-main
/test pull-cluster-api-e2e-main
/test pull-cluster-api-e2e-mink8s-main
/test pull-cluster-api-e2e-upgrade-1-30-1-31-main

@sbueringer
Copy link
Member

/hold

for #10612 please :)

@k8s-ci-robot k8s-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label May 14, 2024
@chrischdi
Copy link
Member Author

/hold

to wait for #10612

@chrischdi
Copy link
Member Author

/hold cancel

/assign @sbueringer @fabriziopandini

@k8s-ci-robot k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label May 14, 2024
@sbueringer
Copy link
Member

Will take another look in a bit

@sbueringer sbueringer added the tide/merge-method-squash Denotes a PR that should be squashed by tide when it merges. label May 15, 2024
@sbueringer
Copy link
Member

Thx!

/lgtm
/assign @fabriziopandini

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label May 15, 2024
@k8s-ci-robot
Copy link
Contributor

LGTM label has been added.

Git tree hash: ef567ae9f91581aa4e91d4509ad1f197a0f0b75b

fabriziopandini
fabriziopandini reviewed May 17, 2024
View reviewed changes
Copy link
Member

@fabriziopandini fabriziopandini left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's an awesome work, thank you
/lgtm
/approve

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: fabriziopandini

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label May 17, 2024
@k8s-ci-robot k8s-ci-robot merged commit ae096cd into kubernetes-sigs:main May 17, 2024
29 checks passed
@k8s-ci-robot k8s-ci-robot added this to the v1.8 milestone May 17, 2024
@chrischdi chrischdi mentioned this pull request May 28, 2024
Merged
This was referenced Aug 26, 2024
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fabriziopandini fabriziopandini fabriziopandini left review comments

@sbueringer sbueringer sbueringer left review comments

@JoelSpeed JoelSpeed Awaiting requested review from JoelSpeed

@richardcase richardcase Awaiting requested review from richardcase

Assignees

@sbueringer sbueringer

@fabriziopandini fabriziopandini

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/api Issues or PRs related to the APIs cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. tide/merge-method-squash Denotes a PR that should be squashed by tide when it merges.
Projects
None yet
Milestone
v1.8
Development

Successfully merging this pull request may close these issues.
4 participants
@chrischdi @k8s-ci-robot @sbueringer @fabriziopandini