Add bootstrap cluster role for external pv provisioners #40308
Conversation
|
Hi @wongma7. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
k8s-ci-robot
added
the
cncf-cla: yes
|
This change is |
k8s-github-robot
added
size/S
|
@k8s-bot ok to test |
wongma7
force-pushed
the
pv-rbac
branch
2 times, most recently
from
ccf24a2 to
e7fd51e
Compare
k8s-github-robot
added
size/M
|
cc @kubernetes/sig-auth-pr-reviews |
|
since it seems likely that each external provisioner will want some different permissions, would it make more sense to include this in the external provisioner documentation as an example for them to use as a starting point for creating a role for their provisioner? |
| @@ -284,6 +284,21 @@ func ClusterRoles() []rbac.ClusterRole { | |||
| rbac.NewRule("list", "watch").Groups(batchGroup).Resources("jobs", "cronjobs").RuleOrDie(), | |||
| }, | |||
| }, | |||
| { | |||
| // a role for an external/out-of-tree persistent volume provisioner | |||
| ObjectMeta: metav1.ObjectMeta{Name: "persistent-volume-provisioner"}, | |||
There was a problem hiding this comment.
in general, the names of bootstrap roles should be prefixed with "system:", since users are free to define their own roles, and we want to minimize the number of potential name conflicts.
|
I think I overstated the likelihood of provisioners needing more permissions when I said "some": nfs-provisioner is probably alone because of the weird way it needs to know about its own service. I imagine most other provisioners will just call an API to fill in a flex/nfs/iscsi/etc. volume spec and have no need to touch additional kube objects so a bootstrap role would be useful for them |
|
If its just NFS, then this seems like a reasonable thing to do. It might even work out as a reasonable set of permissions to grant and let the provisioner create its own role for additional permissions to make inspection easier if its a low percentage. |
liggitt
added
release-note-none
|
/lgtm /approve |
| - create | ||
| - patch | ||
| - update | ||
| - apiVersion: rbac.authorization.k8s.io/v1alpha1 |
There was a problem hiding this comment.
you'll need to update this... the testdata changed to v1beta1
|
@liggitt PR needs a re-lgtm/approve, I amended rbac v1alpha1->v1beta1. thanks! |
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
@deads2k have an /lgtm, now seeking an /approve please. thank you! :) |
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED The following people have approved this PR: liggitt, wongma7 Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
k8s-github-robot
added
the
approved
|
Automatic merge from submit-queue (batch tested with PRs 40574, 40806, 40308, 40771, 39440) |
| rbac.NewRule("get", "list", "watch", "create", "delete").Groups(legacyGroup).Resources("persistentvolumes").RuleOrDie(), | ||
| // update is needed in addition to read access for setting lock annotations on PVCs | ||
| rbac.NewRule("get", "list", "watch", "update").Groups(legacyGroup).Resources("persistentvolumeclaims").RuleOrDie(), | ||
| rbac.NewRule(Read...).Groups(storageGroup).Resources("storageclasses").RuleOrDie(), |
There was a problem hiding this comment.
I see here that we're allowing the "system:persistent-volume-provisioner" ClusterRole to read "storageclass" resources. The ClusterRole "edit" allows subjects to create PVCs, which mention these classes.
Should we allow the "edit" ClusterRole to also (get|list|watch) "storageclass" resources, so that they know which classes are available from which to choose? I asked the same question in the "sig-auth" Slack channel.
There was a problem hiding this comment.
the edit cluster role is intended to be granted within a particular namespace, so allowing access to storageclasses in it would not be effective. Read access to storageclasses would need to be in a clusterrole bound to users with a clusterrolebinding, similar to the system:discovery role.
There was a problem hiding this comment.
Oh, right; I missed that point about the intended scope for the "edit" role.
Is there a reason why we'd want to preclude users from reading these classes?
Is there an existing ClusterRole to which we could add this resource ("view" comes to mind), or does it warrant a new role?
There was a problem hiding this comment.
"view" comes to mind
"view" is also intended to be granted within a namespace. I'm not sure whether I'd consider this fundamental enough to be part of discovery or not. @deads2k, what do you think?
There was a problem hiding this comment.
Correct me if I'm wrong, I think the best place for read access to storage classes to go would be system:basicuser, that's how it is in openshift & I assume this basicuser and that one are meant to be roughly equivalent. But in openshift they deliberately only allow listing storage classes not, get nor watch, not sure if the same decision would be made here.
There was a problem hiding this comment.
In my cluster, we've bound "view" via ClusterRoleBinding to a few namespace-related service accounts to allow them to see everything across the cluster. I didn't realize that was counter to its intention. We are perhaps a more promiscuous lot here, as we're still figuring out which namespaces are going to need to see which others.
There was a problem hiding this comment.
The nascent documentation for "system:basic-user" reads as follows:
A role that allows a user read-only access to basic information about themselves.
Including "storagclass" resources would go beyond "themselves." Does that concern you?
There was a problem hiding this comment.
a little. balance between granularity of roles and usability of many roles is tough.
There was a problem hiding this comment.
Thank you for the discussion.
I'll prepare a proposal later this afternoon and reference it from here.
The set of permissions an external provisioner #30285 running as a pod will need. Technically in order to dynamically provision PVs one doesn't need to "update" PVCs or "watch" events but the controller https://github.com/kubernetes-incubator/nfs-provisioner/tree/master/controller we are recommending people use does those things to: set lock annotations on PVCs and watch
ProvisioningSucceeded/ProvisioningFailedevents.Some external provisioners may need additional permissions, for example nfs-provisioner requires "get" access to Services and Endpoints when run "statefully." I think in that case we would recommend creating a new ClusterRole specific to that provisioner, using this as a base?
(This was to be a part of my redo/fix of the external e2e test #39545 but I'm submitting it as a separate PR for now due to some issues I had with running nfs-provisioner on gce.)
@kubernetes/sig-auth-misc ?