minimize the rbac permissions for karmada-agent

[B1F030]

What type of PR is this?
/kind feature

What this PR does / why we need it:

Which issue(s) this PR fixes:
Part of #5182

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

NONE

[B1F030]

/cc @zhzhuang-zju

[codecov-commenter]

⚠️ Please install the to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 41.85%. Comparing base (90df54a) to head (976e62f).

❗ Your organization needs to install the Codecov GitHub app to enable full functionality.

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #5629      +/-   ##
==========================================
- Coverage   41.85%   41.85%   -0.01%     
==========================================
  Files         655      655              
  Lines       55756    55756              
==========================================
- Hits        23338    23335       -3     
- Misses      30907    30910       +3     
  Partials     1511     1511              

Flag	Coverage Δ
unittests	41.85% <ø> (-0.01%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[B1F030]

/hold

[B1F030]

/unhold

[B1F030]

/cc @zhzhuang-zju

[RainbowMango]

Hi @B1F030 Please quash commits and get this PR ready.

[zhzhuang-zju]

@B1F030 The review is ongoing, and I will check whether your RBAC configuration ensures the normal operation of the agent and whether there are any redundant permissions.

[zhzhuang-zju]

@B1F030 Can you explain what these roles are and why they are commented out?

[B1F030]

To minimize the rbac permissions for karmada-agent, we can limit some sensitive permissions to minimum.
Sensitive permissions including:

• clusters: [create, get]
• clusters/status: [update]
• secrets: [get, list, watch, create, patch]
• works: [create, get, list, watch, update, delete]
• works/status: [patch, delete]

Because clusters and clusters/status are not namespace-scoped, we can limit the specific resourceNames as {{clustername}}.
And because secrets and works, works/status are namespace-scoped, we can collect them into specific roles, as:
system:karmada:agent-secret(in namespace {{cluster_namespace}}, default to karmada-cluster) for secrets,
system:karmada:agent-work(in namespace karmada-es-{{clustername}}) for works, works/status.

But for now we cannot use them without codechange, for example, It will come to Error when setting up basic environment:

Error from server (NotFound):
error when creating "artifacts/deploy/bootstrap-token-configuration.yaml":
namespaces "karmada-es-{{clustername}}" not found

So we plan to comment out these roles for now, and after when we can create ns during the register.go, we can cancel the comments.

[zhzhuang-zju]

The un-commented parts represent the minimal RBAC permissions that can be achieved without modifying the code and the existing karmadactl register workflow.
The commented parts represent the desired minimal RBAC permissions

[zhzhuang-zju]

Can we move the commented part into the documentation to demonstrate the agent's minimal permission set, and then later modify the code to align the agent's RBAC permissions with the desired minimal RBAC?

[zhzhuang-zju]

cc @RainbowMango

[RainbowMango]

?

[zhzhuang-zju]

thanks~
/lgtm
cc @RainbowMango @XiShanYongYe-Chang

[XiShanYongYe-Chang]

/lgtm

[RainbowMango]

/approve

[karmada-bot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: RainbowMango

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [RainbowMango]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment