Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add permissions for serving APIs to k8s's default view and edit role #5683

Merged
merged 1 commit into from
Sep 29, 2019
Merged

Add permissions for serving APIs to k8s's default view and edit role #5683

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 24 additions & 0 deletions config/200-clusterrole-namespaced.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,3 +23,27 @@ rules:
- apiGroups: ["serving.knative.dev", "networking.internal.knative.dev", "autoscaling.internal.knative.dev"]
resources: ["*"]
verbs: ["*"]
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: knative-serving-namespaced-edit
labels:
rbac.authorization.k8s.io/aggregate-to-edit: "true"
serving.knative.dev/release: devel
rules:
- apiGroups: ["serving.knative.dev", "networking.internal.knative.dev", "autoscaling.internal.knative.dev"]
resources: ["*"]
verbs: ["create", "update", "patch", "delete"]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Don't we need to either include the read APIs here or have the next CR also aggregate into the edit CR?

From https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles edit is described as "Allows read/write access to most objects in a namespace. It does not allow viewing or modifying roles or rolebindings." So I think we need some form of read.

Note that I made a similar comment on Eventing's equivalent knative/eventing#1993 (comment).

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No, you don't need it.

The tric is that view role has the rbac.authorization.k8s.io/aggregate-to-edit label by default:

$ kubectl get clusterrole  view  --show-labels 
NAME   AGE    LABELS
view   3d2h   kubernetes.io/bootstrapping=rbac-defaults,rbac.authorization.k8s.io/aggregate-to-edit=true

So, when you added knative-serving-namespaced-view, knative-serving-namespaced-view is aggregated to view role, as well as aggregated to edit role.

You can confirm it by following steps:

// Create clusterrole 
$ cd serving
$ kubectl apply -f config/200-clusterrole-namespaced.yaml
$ kubectl get clusterrole edit -o yaml |grep -A9 serving

The edit role is supposed to have following "read" verbs.

- apiGroups:
  - serving.knative.dev
  - networking.internal.knative.dev
  - autoscaling.internal.knative.dev
  resources:
  - '*'
  verbs:
  - get
  - list
  - watch

Of course we can explicitly add the read role to knative-serving-namespaced-edit, but I feel that it is redundant.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cool. Thanks for the explanation.

---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: knative-serving-namespaced-view
labels:
rbac.authorization.k8s.io/aggregate-to-view: "true"
serving.knative.dev/release: devel
rules:
- apiGroups: ["serving.knative.dev", "networking.internal.knative.dev", "autoscaling.internal.knative.dev"]
resources: ["*"]
verbs: ["get", "list", "watch"]