Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

adds patch privileges to RBAC rules #46

Closed
wants to merge 1 commit into from
Closed

adds patch privileges to RBAC rules #46

wants to merge 1 commit into from

Conversation

xh3b4sd
Copy link
Contributor

@xh3b4sd xh3b4sd commented Jun 19, 2018

@xh3b4sd xh3b4sd self-assigned this Jun 19, 2018
@xh3b4sd xh3b4sd requested a review from a team June 19, 2018 16:32
@xh3b4sd xh3b4sd deployed to gorgoth June 19, 2018 16:39 Active
kopiczko
kopiczko approved these changes Jun 19, 2018
View reviewed changes
Copy link
Contributor

@kopiczko kopiczko left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, however as you said it's concerning the issue just appeared.

xh3b4sd
xh3b4sd commented Jun 19, 2018
View reviewed changes
helm/node-operator-chart/templates/rbac.yaml
resources:
- nodes
verbs:
- patch
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This does not seem to do the trick. The errors are the same. I found kubernetes/kops#3551 (comment) but I am not sure this goes into the right direction. @giantswarm/sre feedback please. <3

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I noticed that this does not work because the RBAC rules here define access to the host cluster. The access issues we have are with guest clusters. So what do we need to do within the guest clusters to fix the problem of not being able to patch the guest cluster nodes via node-operator?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, exactly we need permission in the guest cluster. The first question would be what kind of access we use for node operator? which certs are used?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We use the certs issued for node-operator. See

node-operator/service/controller/v1/resource/node/create.go

Line 48 in 39df9fa

draining, err = r.certsSearcher.SearchDraining(key.ClusterID(customObject))
. The certs are managed with cluster-operator. See https://github.com/giantswarm/cluster-operator/blob/4c171e4fdeb3636cfe80170d9ad032dd96fb52ca/pkg/v4/resource/certconfig/desired.go#L364-L396. To me it looks like there is not really anything we can do with the certs. I think the certs work and aren't the problem. The problem is some cluster role binding magic in the guest cluster, which is missing I guess. I wonder why though and how we want to address this.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So the certs have organization on which then the RBAC rules are bind.
I checked random node-operator certs and it seems they have organization: null so I am wondering how this could work at all.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see. We only set the system:masters org for the API certs. See https://github.com/giantswarm/cluster-operator/blob/4c171e4fdeb3636cfe80170d9ad032dd96fb52ca/pkg/v4/resource/certconfig/desired.go#L185. Do you think we should go with this? The weird thing is that this grants like everything. Can we just scope this down a little bit? I think I can setup some tests to get this straight.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So the CRD has no organization but generated cert has O=node-operator

Yeah this is the default for all components.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cant find any binding to that organization in k8scloudconfig

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I reckon so. We just add the component name by default. Do you think the proper solution would be to add some role binding in k8scc for node-operator for the nodes scope?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes, if something needs to access the api of the guest cluster it needs to be allowed the actions it needs to do, e.g. node-operator needs to be able to use get, drain,... verbs on node resource, maybe even more.

@xh3b4sd
Copy link
Contributor Author

xh3b4sd commented Jun 20, 2018

This is not fixing the problem.

@xh3b4sd xh3b4sd closed this Jun 20, 2018
@xh3b4sd xh3b4sd deleted the rbac branch June 20, 2018 10:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@puja108 puja108 puja108 left review comments

@calvix calvix calvix left review comments

@kopiczko kopiczko kopiczko approved these changes

Assignees

@xh3b4sd xh3b4sd

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@xh3b4sd @kopiczko @puja108 @calvix