Comments (10)
@erikgb
Thank you for your interest in this project.
That permissive RBAC is not required.
Actually, we should use controller.additionalRBAC.rule
parameter to give necessary permissions.
from accurate.
Thanks @ymmt2005! Will you create a PR to fix this? Or can I just create one - suggesting just to remove the permissive RBAC? Or will that require other additional changes?
from accurate.
This permission was added in #20 to allow the accurate controller to check
annotations. I need further investigation into what the problem was.
from accurate.
So, the problem was we got an error from the accurate controller when
it tried to access a parent resource of a Secret, and the parent was
a cluster-scoped CRD.
As the parent can be anything, we allowed the accurate controller to
read any kind of resources to suppress that error.
The relevant feature is this.
https://cybozu-go.github.io/accurate/propagation.html#annotating-a-resource-to-propagate-resources-created-from-it
We thought it'd be pretty difficult for normal users to identify the error
and fix it by giving additional permissions.
from accurate.
a parent resource of a Secret, and the parent was a cluster-scoped CRD
Does this make sense? How can a cluster-scoped resource be a parent of a namespace-scoped resource?
BTW the example in the docs of this feature is obsolete, as cert-manager now supports secret templates. 😉 https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSecretTemplate
from accurate.
I was wrong. The resource was CephCluster from Rook, which is namespace-scoped.
https://rook.io/docs/rook/v1.12/CRDs/Cluster/ceph-cluster-crd/
The problem was, although we granted admin
ClusterRole to the accurate controller,
Rook did not aggregate permissions for CephCluster into admin
, therefore, the
accurate controller could not get them.
https://github.com/cybozu-go/accurate/blob/main/charts/accurate/templates/generated/generated.yaml#L188-L204
from accurate.
The problem was, although we granted admin ClusterRole to the accurate controller,
Rook did not aggregate permissions for CephCluster into admin, therefore, the
accurate controller could not get them.
I think it should be the user's responsibility to configure RBAC. Even granting (namespace) admin cluster-wide RBAC is questionable IMO.
from accurate.
yes, we can put these as a default/recommended setting in Helm values.yaml.
from accurate.
yes, we can put these as a default/recommended setting in Helm values.yaml
I suppose you are addressing the cluster-wide admin permission now? Read access to ALL resources is not a good default IMO.
from accurate.
Read access to ALL resources is not a good default IMO.
Agreed.
from accurate.
Related Issues (20)
- Operator should crash if missing RBAC to any watched resource
- Upgrade/patch/replace Go build image HOT 3
- Annoying "http: TLS handshake error" in logs HOT 5
- Become a CNCF project? HOT 1
- Opt-in allowing cascading deletes of namespaces HOT 2
- Pre-existing resources should be upgraded to SSA
- Dependency Dashboard
- Dependency Dashboard
- Dependency Dashboard
- Dependency Dashboard
- Dependency Dashboard
- Dependency Dashboard
- Controller should set a proper field manager HOT 4
- SubNamespace should be compatible with kstatus HOT 2
- Webhooks should have better names HOT 1
- Should not attempt to modify resources in normal namespace HOT 27
- docs: better example for propagate generated HOT 1
- Precedence between NS labels/annotations propagation should be documented
- Should clean up previously propagated namespace labels/annotations HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from accurate.