Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Reduce route-agent and gateway privileges #2008

Merged
merged 3 commits into from
Aug 8, 2022
Merged

Reduce route-agent and gateway privileges #2008

merged 3 commits into from
Aug 8, 2022

Conversation

skitt
Copy link
Member

@skitt skitt commented Apr 7, 2022

This drops unnecessary privileges frmo the route-agent and gateway:
they don't need to modify pods, notes, secrets, or
persistentvolumeclaims.

Signed-off-by: Stephen Kitt skitt@redhat.com

@submariner-bot
Copy link
Contributor

🤖 Created branch: z_pr2008/skitt/reduce-ra-gateway-permissions
🚀 Full E2E won't run until the "ready-to-test" label is applied. I will add it automatically once the PR has 2 approvals, or you can add it manually.

@skitt skitt force-pushed the reduce-ra-gateway-permissions branch from 1d02e36 to 5d694d7 Compare April 7, 2022 12:51
@skitt skitt force-pushed the reduce-ra-gateway-permissions branch from 5d694d7 to 5f77e9c Compare April 15, 2022 09:14
@stale
Copy link

stale bot commented Apr 30, 2022

This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the wontfix This will not be worked on label Apr 30, 2022
@dfarrell07 dfarrell07 removed the wontfix This will not be worked on label May 3, 2022
@stale
Copy link

stale bot commented May 31, 2022

This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the wontfix This will not be worked on label May 31, 2022
@skitt skitt force-pushed the reduce-ra-gateway-permissions branch from 5f77e9c to 4d7343f Compare May 31, 2022 12:53
@stale stale bot removed the wontfix This will not be worked on label May 31, 2022
@skitt skitt force-pushed the reduce-ra-gateway-permissions branch from 4d7343f to 9dc9eda Compare June 16, 2022 16:53
@stale
Copy link

stale bot commented Jul 10, 2022

This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the wontfix This will not be worked on label Jul 10, 2022
@dfarrell07 dfarrell07 added the ready-to-test When a PR is ready for full E2E testing label Jul 12, 2022
@stale stale bot removed the wontfix This will not be worked on label Jul 12, 2022
@stale
Copy link

stale bot commented Jul 30, 2022

This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the wontfix This will not be worked on label Jul 30, 2022
@tpantelis tpantelis removed the wontfix This will not be worked on label Jul 31, 2022
@skitt
Reduce route-agent and gateway privileges
bc988b5 
This drops unnecessary privileges frmo the route-agent and gateway:
they don't need to modify pods, notes, secrets, or
persistentvolumeclaims.

Signed-off-by: Stephen Kitt <skitt@redhat.com>
@skitt skitt force-pushed the reduce-ra-gateway-permissions branch from e152c47 to bc988b5 Compare August 1, 2022 09:29
@skitt skitt marked this pull request as ready for review August 1, 2022 16:11
@dfarrell07 dfarrell07 added the release-note-needed Should be mentioned in the release notes label Aug 2, 2022
@tpantelis tpantelis requested a review from dfarrell07 August 8, 2022 13:39
@tpantelis tpantelis merged commit f3f650b into submariner-io:devel Aug 8, 2022
@submariner-bot
Copy link
Contributor

🤖 Closed branches: [z_pr2008/skitt/reduce-ra-gateway-permissions]

tpantelis added a commit to tpantelis/submariner-operator that referenced this pull request Aug 26, 2022
@tpantelis
Restore gateway pod privileges
2e1c12d 
The gateway is failing trying to update labels on its own pod:

main.go:416] Error updating pod label: Error patching own pod
"submariner-gateway-jqc9v"...forbidden: User
"system:serviceaccount:submariner-operator:submariner-gateway"
cannot patch resource "pods"

PR submariner-io#2008
removed the "pods" privilege for the gateway role but it turns out
it's needed.

Signed-off-by: Tom Pantelis <tompantelis@gmail.com>
@tpantelis tpantelis mentioned this pull request Aug 26, 2022
Merged
skitt pushed a commit that referenced this pull request Aug 29, 2022
@tpantelis @skitt
Restore gateway pod privileges
d4f5001 
The gateway is failing trying to update labels on its own pod:

main.go:416] Error updating pod label: Error patching own pod
"submariner-gateway-jqc9v"...forbidden: User
"system:serviceaccount:submariner-operator:submariner-gateway"
cannot patch resource "pods"

PR #2008
removed the "pods" privilege for the gateway role but it turns out
it's needed.

Signed-off-by: Tom Pantelis <tompantelis@gmail.com>
@tpantelis tpantelis mentioned this pull request Sep 2, 2022
Merged
@skitt skitt removed the release-note-needed Should be mentioned in the release notes label Nov 3, 2022
skitt added a commit to skitt/submariner-operator that referenced this pull request Nov 3, 2022
@skitt
Add release notes for submariner-io#2008
bb76dc2 
... including follow-up partial reverts in submariner-io#2214 and submariner-io#2225.

Signed-off-by: Stephen Kitt <skitt@redhat.com>
@skitt skitt added release-note-needed Should be mentioned in the release notes release-note-handled labels Nov 3, 2022
skitt added a commit to skitt/submariner-operator that referenced this pull request Nov 3, 2022
@skitt
Add release notes for submariner-io#2008
83c6d8c 
... including follow-up partial reverts in submariner-io#2214 and submariner-io#2225.

Signed-off-by: Stephen Kitt <skitt@redhat.com>
tpantelis pushed a commit that referenced this pull request Nov 3, 2022
@skitt @tpantelis
Add release notes for #2008
088ef19 
... including follow-up partial reverts in #2214 and #2225.

Signed-off-by: Stephen Kitt <skitt@redhat.com>
dfarrell07 added a commit to dfarrell07/submariner-operator that referenced this pull request Nov 10, 2022
@dfarrell07
Remove duplicate gateway pod RBAC
b143ead 
The submariner-gateway RBAC for pods duplicates the get permission, as
it's granted * elsewhere.

This was recently modified in submariner-io#2214 and submariner-io#2008.

Signed-off-by: Daniel Farrell <dfarrell@redhat.com>
@dfarrell07 dfarrell07 mentioned this pull request Nov 10, 2022
Closed
dfarrell07 added a commit to dfarrell07/submariner-operator that referenced this pull request Nov 10, 2022
@dfarrell07
Remove duplicate gateway pod RBAC
07f0fdf 
The submariner-gateway RBAC for pods duplicates the get permission, as
it's granted * elsewhere.

This was recently modified in submariner-io#2214 and submariner-io#2008.

Signed-off-by: Daniel Farrell <dfarrell@redhat.com>
dfarrell07 added a commit to dfarrell07/submariner-operator that referenced this pull request Nov 11, 2022
@dfarrell07
Remove duplicate globalnet pod RBAC
926518a 
The submariner-gateway RBAC for pods duplicates the get permission, as
it's granted * elsewhere.

This was recently modified in submariner-io#2225 and submariner-io#2008.

Signed-off-by: Daniel Farrell <dfarrell@redhat.com>
@dfarrell07 dfarrell07 mentioned this pull request Nov 11, 2022
Closed
dfarrell07 added a commit to dfarrell07/submariner-operator that referenced this pull request Nov 11, 2022
@dfarrell07
Remove duplicate pod RBAC
2206140 
The  RBAC for pods duplicates the get permission, as it's granted *
elsewhere.

This was recently modified in submariner-io#2225, submariner-io#2214, and submariner-io#2008.

Signed-off-by: Daniel Farrell <dfarrell@redhat.com>
sridhargaddam pushed a commit to dfarrell07/submariner-operator that referenced this pull request Dec 17, 2022
@dfarrell07 @sridhargaddam
Remove duplicate pod RBAC
216615f 
The  RBAC for pods duplicates the get permission, as it's granted *
elsewhere.

This was recently modified in submariner-io#2225, submariner-io#2214, and submariner-io#2008.

Signed-off-by: Daniel Farrell <dfarrell@redhat.com>
@dfarrell07 dfarrell07 removed release-note-needed Should be mentioned in the release notes release-note-handled labels May 3, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dfarrell07 dfarrell07 dfarrell07 approved these changes

@tpantelis tpantelis tpantelis approved these changes

@Oats87 Oats87 Awaiting requested review from Oats87 Oats87 is a code owner

@sridhargaddam sridhargaddam Awaiting requested review from sridhargaddam sridhargaddam is a code owner

Assignees
No one assigned
Labels
ready-to-test When a PR is ready for full E2E testing
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@skitt @submariner-bot @dfarrell07 @tpantelis