Comments (7)
You should be able to give MetaController the minimal set of permissions it needs to do work. The strictest set of things that MetaController needs to access is its CRDs, but it wouldn't be very useful.
Since MetaController manages resources on behalf of its child controllers, MetaController needs rights to manage any of the resources that a child controller manages. So if there's no child controller that needs to list or manage pods then MetaController does not need access to Pods at all.
We could use an Aggregate role for meta controller and it could be standard practice that controller authors would package RBAC Roles that they need.
That could look something like this. We would package the following Aggregate Role with MetaController:
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: metacontroller
aggregationRule:
clusterRoleSelectors:
- matchLabels:
rbac.authorization.k8s.io/aggregate-to-metacontroller: "true"
rules:
- apiGroups: ["metacontroller.k8s.io"]
resources: ["compositecontroller", "decoratorcontroller", "controllerrevisions"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
Then a controller author would create and distribute the following with their app:
In this example the controller needs to manage deployments resouces and the parent resources is a custom CRD.
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: aggregate-cron-tabs-view
labels:
# Add these permissions to the "metacontroller" default role.
rbac.authorization.k8s.io/aggregate-to-metacontroller: "true"
rules:
- apiGroups: ["example.com"]
resources: ["bluegreendeployment"]
verbs: ["get", "list", "watch", "patch"]
- apiGroups: ["apps"]
resources: ["deployments"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
from metacontroller.
@Kalise Metacontroller can be run in any namespace. The main reason we suggest creating a new namespace is because there are cross-references in the installation and example controller manifests that need to specify an explicit namespace where things live. If we didn't create our own namespace with a known name, we'd have to ask you to fill in the namespace you chose in a bunch of places. I think it's also now discouraged to put extensions in kube-system, which they'd like to reserve for core k8s components.
@rlguarino Interesting idea! I didn't even know about aggregate roles. Another possibility I was thinking about is giving each controller its own service account, and having Metacontroller "act as" that service account when performing writes on behalf of that controller. This would let admins restrict permissions to only certain controllers.
However, it's a bit tricky to achieve this restriction for reads, since they are globally cached. One idea I had for that is to have Metacontroller perform manual authz checks for reads (with the per-controller service account) before fetching values from the cache on behalf of a given controller. We could cache the authz result with some TTL, which I believe webhook auth also does, to reduce query load.
I hadn't yet worked out how to give Metacontroller permission to populate the global cache on behalf of the set of controllers that need a given resource, but the aggregation feature you mentioned seems like it would help with that.
from metacontroller.
Are you familiar with how the kubernetes Controller-Manager work with RBAC? I think what you've suggested with using different service account for every controller sounds a lot like how k8s controller-manager works. I'll have to look into what they do about reads, because I thought they were using SharedInformers.
from metacontroller.
Yeah my service account idea was intended to be a generalization of what kube-controller-manager does.
I guess it would make sense if they don't bother restricting cached reads in controller-manager, since the code running there is trusted. For example, even if StatefulSet became a confused deputy, we're pretty sure it doesn't read Secrets because the code doesn't call that API, so it would be unlikely to leak Secrets if compromised.
By contrast, Metacontroller is a multi-tenant service. Admins probably don't want to give the same global read access to all users who have permission to install controllers via Metacontroller.
from metacontroller.
Depending on assumptions of scale and the churn rate of a cluster it might be simpler and more robust to not use SharedInformers at all. We would almost certainly end up with more watches but no more than you would end up with if each controller was deployed independently without metacontroller.
from metacontroller.
@rlguarino @enisoc Aggregate roles can be an immediate and good solution.
Also the Controller Manager approach sounds interesting.
Metacontroller is a multi-tenant service. Admins probably don't want to give the same global read access to all users who have permission to install controllers via Metacontroller.
As a system admin, completely agree. Thanks!
from metacontroller.
@enisoc It looks like (based on #9) that some resolution for this was expected in Q3 2018. Have you been able to experiment with solutions proposed here?
from metacontroller.
Related Issues (20)
- Support for custom sub-resources
- --client-config-path option does not work HOT 1
- Feature Request: Support intentional orphaning of CompositeController children HOT 1
- Propose Metacontroller to be included in Kubernetes core HOT 1
- CRD updates require restart of metacontroller
- CompositeController - Infinite loop reconciling when having multiple volumemounts with same named configmap HOT 2
- Is there a way to trigger a resync? HOT 2
- Is this repo maintained? HOT 34
- New rabbitMQ operator - attaching my project
- [feature request] multiple metacontroller with object sharding strategy HOT 1
- [bug] Metacontroller crash when one of the CompositeControllers misbehave HOT 6
- Converting/Migrating from one Custom Resource to another HOT 3
- Make it easier to take over existing resources HOT 2
- Have a separate resync-after-error period flag HOT 1
- failed to sync CompositeController using apiextensions.k8s.io/v1
- System rapidly making calls to sync hook HOT 1
- Redis Operator Example
- Metacontroller omitting updated status in subsequent sync HOT 1
- Image metacontroller:v0.4.0 is vulnerable, CVEs' found in clair scan HOT 1
- Service-per-pod example: no matches for kind "Deployment" in version "apps/v1beta1"
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from metacontroller.