Add permissions for serving APIs to k8s's default view and edit role #5683
Conversation
This patch adds some permissions for knative serving API to edit and view role The `edit` and `view` roles are k8s's default [user-facing role](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles). So, Users should be able to assume that they can access or edit serving resources by using these roles.
knative-prow-robot
added
the
size/S
|
I suppose there will be the same problem with Knative Eventing. |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: markusthoemmes, mattmoor, nak3 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
knative-prow-robot
added
the
approved
|
The following jobs failed:
Job pull-knative-serving-unit-tests expended all 3 retries without success. |
|
/test pull-knative-serving-unit-tests |
1 similar comment
|
/test pull-knative-serving-unit-tests |
| rules: | ||
| - apiGroups: ["serving.knative.dev", "networking.internal.knative.dev", "autoscaling.internal.knative.dev"] | ||
| resources: ["*"] | ||
| verbs: ["create", "update", "patch", "delete"] |
There was a problem hiding this comment.
Don't we need to either include the read APIs here or have the next CR also aggregate into the edit CR?
From https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles edit is described as "Allows read/write access to most objects in a namespace. It does not allow viewing or modifying roles or rolebindings." So I think we need some form of read.
Note that I made a similar comment on Eventing's equivalent knative/eventing#1993 (comment).
There was a problem hiding this comment.
No, you don't need it.
The tric is that view role has the rbac.authorization.k8s.io/aggregate-to-edit label by default:
$ kubectl get clusterrole view --show-labels
NAME AGE LABELS
view 3d2h kubernetes.io/bootstrapping=rbac-defaults,rbac.authorization.k8s.io/aggregate-to-edit=true
So, when you added knative-serving-namespaced-view, knative-serving-namespaced-view is aggregated to view role, as well as aggregated to edit role.
You can confirm it by following steps:
// Create clusterrole
$ cd serving
$ kubectl apply -f config/200-clusterrole-namespaced.yaml
$ kubectl get clusterrole edit -o yaml |grep -A9 serving
The edit role is supposed to have following "read" verbs.
- apiGroups:
- serving.knative.dev
- networking.internal.knative.dev
- autoscaling.internal.knative.dev
resources:
- '*'
verbs:
- get
- list
- watch
Of course we can explicitly add the read role to knative-serving-namespaced-edit, but I feel that it is redundant.
There was a problem hiding this comment.
Cool. Thanks for the explanation.
Proposed Changes
This patch adds permissions for knative serving API to edit and view role.
The
editandviewroles are k8s's default user-facing role.So, Users should be able to assume that they can access or edit serving resources by
using these roles.
/lint
Release Note