-
Notifications
You must be signed in to change notification settings - Fork 227
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
More secure rbac #625
More secure rbac #625
Conversation
Signed-off-by: Jirka Kremser <[email protected]>
Signed-off-by: Jirka Kremser <[email protected]>
8eafb82
to
c718b76
Compare
Signed-off-by: Jirka Kremser <[email protected]>
a60f920
to
0613997
Compare
Signed-off-by: Jirka Kremser <[email protected]>
0613997
to
5c367b8
Compare
Signed-off-by: Jirka Kremser <[email protected]>
WOW, this PR is a great idea! I'm checking it in depth because you said, it's complex and RBAC is risky, but I'll post something asap |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looking nice! @zroubalik @tomkerkhove , we should test this really well as it's an important change related with RBAC.
After merging this, we will have to be careful when we apply RBAC changes from core to the chart
Signed-off-by: Jirka Kremser <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great job, I really like it!
@wozniakjan PTAL, extra pair of eyes are always better :)
Signed-off-by: Jirka Kremser <[email protected]>
…yments Signed-off-by: Jirka Kremser <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
looks really good, here are couple of minor formatting nits
Co-authored-by: Jan Wozniak <[email protected]> Signed-off-by: Jirka Kremser <[email protected]>
Co-authored-by: Jan Wozniak <[email protected]> Signed-off-by: Jirka Kremser <[email protected]>
Co-authored-by: Jan Wozniak <[email protected]> Signed-off-by: Jirka Kremser <[email protected]>
Co-authored-by: Jan Wozniak <[email protected]> Signed-off-by: Jirka Kremser <[email protected]>
…l service accounts Signed-off-by: Jirka Kremser <[email protected]>
Signed-off-by: Jirka Kremser <[email protected]> Signed-off-by: Jirka Kremser <[email protected]> Co-authored-by: Jan Wozniak <[email protected]>
@jkremser Should the instructions for restricting access to secrets be updated? https://keda.sh/docs/2.15/operate/cluster/#restrict-secret-access Also see kedacore/keda-docs#1307 |
Issue #624
the changes rely on
WATCH_NAMESPACE
variable. So if it is empty, we basically install almost the same rbac as before (ClusterRole
withClusterRoleBinding
so that it can watch for events in all the namespaces).If it contains one or multiple namespaces (so it assumes this change is merged), it will use normal
RoleBinding
together with the cluster role so that these rules are namespaced for each listed namespace in that env var.Note: Normal
RoleBinding
+ClusterRole
works the same way asRoleBinding
with normalRole
, but this way we can reuse the same resource and lower the complexity of helm chart a bit.It also contains a way to restrict the set of secrets, the operator should be able to look into. By default it's the same behavior as before, (well, if
WATCH_NAMESPACE
is not empty, it will be restricted only to secrets in that ns), but one can also specify:--set permissions.operator.restrict.namesAllowList="{foo,bar}"
so that the operator can read only secrets in that namespace called"foo"
and"bar"
The other RBAC-related change is the whitelisting of CRDs that can be scaled by the operator. Again, by default it's the same behavior as before, but if requested, one can restrict the set of CRDs that can be referenced by scaled object in advance during the helm installation by:
The PR also splits the RBAC for all three individual components so that webhooks or metric server don't have the same rights as the operator itself(that actually had a right to read ("get") every single resource in the cluster). Now each component has its own service account with a taylored roles attached to it.
Since the PR is quite complex to review, I've prepared some deployment scenarios and captured the resulting RBAC using the
rbac-tool
kubectl plugin.Scenario 1 - no restrictions, just separate RBACs for each KEDA component (which is common to each scenario)
values.yaml
final rbac:
operator
: link to visualizationwebhook
: link to visualizationmetrics-server
: link to visualizationScenario 2 - some CRDs are whitelisted, watching
default
ns + 2 whitelisted secretsvalues.yaml
final rbac:
operator
: link to visualizationwebhook
: link to visualizationmetrics-server
: link to visualizationScenario 3 - all CRDs are allowed + some namespaces are being watched + some secrets are whitelisted
values.yaml
final rbac:
operator
: link to visualizationwebhook
: link to visualizationmetrics-server
: link to visualizationScenario 4 - all namespaces are watched, only secrets called
"bar"
can be readvalues.yaml
final rbac:
operator
: link to visualizationwebhook
: link to visualizationmetrics-server
: link to visualizationnote: for all four scenarios, I've created a Deployment, ScaledObject, checked that hpa was created and deleted it and was checking if there were any rbac related issues