Controller RBAC is too permissive about accurate HOT 10 CLOSED

@erikgb
Thank you for your interest in this project.
That permissive RBAC is not required.
Actually, we should use controller.additionalRBAC.rule parameter to give necessary permissions.

from accurate.

Thanks @ymmt2005! Will you create a PR to fix this? Or can I just create one - suggesting just to remove the permissive RBAC? Or will that require other additional changes?

from accurate.

This permission was added in #20 to allow the accurate controller to check
annotations. I need further investigation into what the problem was.

from accurate.

So, the problem was we got an error from the accurate controller when
it tried to access a parent resource of a Secret, and the parent was
a cluster-scoped CRD.

As the parent can be anything, we allowed the accurate controller to
read any kind of resources to suppress that error.

The relevant feature is this.
https://cybozu-go.github.io/accurate/propagation.html#annotating-a-resource-to-propagate-resources-created-from-it

We thought it'd be pretty difficult for normal users to identify the error
and fix it by giving additional permissions.

from accurate.

a parent resource of a Secret, and the parent was a cluster-scoped CRD

Does this make sense? How can a cluster-scoped resource be a parent of a namespace-scoped resource?

BTW the example in the docs of this feature is obsolete, as cert-manager now supports secret templates. 😉 https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSecretTemplate

from accurate.

I was wrong. The resource was CephCluster from Rook, which is namespace-scoped.
https://rook.io/docs/rook/v1.12/CRDs/Cluster/ceph-cluster-crd/

The problem was, although we granted admin ClusterRole to the accurate controller,
Rook did not aggregate permissions for CephCluster into admin, therefore, the
accurate controller could not get them.
https://github.com/cybozu-go/accurate/blob/main/charts/accurate/templates/generated/generated.yaml#L188-L204

from accurate.

The problem was, although we granted admin ClusterRole to the accurate controller,
Rook did not aggregate permissions for CephCluster into admin, therefore, the
accurate controller could not get them.

I think it should be the user's responsibility to configure RBAC. Even granting (namespace) admin cluster-wide RBAC is questionable IMO.

from accurate.

yes, we can put these as a default/recommended setting in Helm values.yaml.

from accurate.

yes, we can put these as a default/recommended setting in Helm values.yaml

I suppose you are addressing the cluster-wide admin permission now? Read access to ALL resources is not a good default IMO.

from accurate.

Read access to ALL resources is not a good default IMO.

Agreed.

from accurate.