search

kedacore / keda

KEDA is a Kubernetes-based Event Driven Autoscaling component. It provides event driven scale for any container running in Kubernetes
https://keda.sh
Apache License 2.0
8.33k stars 1.05k forks source link

Include RBAC permissions to custom resources in KEDA manifests #2723

Open wmedlar opened 2 years ago

wmedlar commented 2 years ago

Proposal

KEDA should attach corresponding CRD permissions to the built-in view, edit, and admin ClusterRoles through ClusterRole aggregation. Right now KEDA requires configuring permissions for its resources manually, introducing burden for cluster operators. Aggregation is a common pattern for applications that deploy CRDs (see cert-manager for an example) that reduces this burden and simplifies the installation process.

Use-Case

As a cluster operator, I would like to provide KEDA as a platform service to application teams, using a permissions model that follows best practices by consuming built-in, least-privileged ClusterRoles.

Anything else?

This is an example of the aggregated ClusterRoles that I apply manually after deploying KEDA.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: keda:edit
  labels:
    rbac.authorization.k8s.io/aggregate-to-admin: "true"
    rbac.authorization.k8s.io/aggregate-to-edit: "true"
rules:
- apiGroups:
  - keda.sh
  resources:
  - clustertriggerauthentications
  - scaledjobs
  - scaledobjects
  - triggerauthentications
  verbs:
  - create
  - delete
  - patch
  - update

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: keda:view
  labels:
    rbac.authorization.k8s.io/aggregate-to-admin: "true"
    rbac.authorization.k8s.io/aggregate-to-edit: "true"
    rbac.authorization.k8s.io/aggregate-to-view: "true"
rules:
- apiGroups:
  - keda.sh
  resources:
  - clustertriggerauthentications
  - scaledjobs
  - scaledobjects
  - triggerauthentications
  verbs:
  - get
  - list
  - watch
tomkerkhove commented 2 years ago

@zroubalik Thoughts? @wmedlar Are you willing to jump in if we want to do this? Keep in mind that we should be backwards compatible

wmedlar commented 2 years ago

If needed, sure.

zroubalik commented 2 years ago

Sounds good, let's do this :)

stale[bot] commented 2 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 7 days if no further activity occurs. Thank you for your contributions.

stale[bot] commented 2 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 7 days if no further activity occurs. Thank you for your contributions.