search

kubeflow / spark-operator

Kubernetes operator for managing the lifecycle of Apache Spark applications on Kubernetes.
Apache License 2.0
2.75k stars 1.36k forks source link

Minimal ClusterRole for Spark operator cluster scope bindings when all namespaces are watched #1400

Open apiwoni opened 2 years ago

apiwoni commented 2 years ago

I need to run Spark operator watching multiple namespaces on multi-tenant cluster. This is currently done via cluster role binding with rather wide set of cluster scoped permissions in spark-operator-rbac.yaml

This is not going to fly with security group in multi-tenant cluster. So I'm trying to come up with smaller set of cluster scoped permissions for the operator and then let each watched namespace apply all permissions in spark-operator-rbac.yaml but with local binding in every watched namespace.

Here's a restricted ClusterRole for Spark operator that worked without webhhooks and batch enabled:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: spark-operator-restricted
rules:
  - apiGroups:
      - ""
    resources:
      - pods
    verbs:
      - list
      - watch
  - apiGroups:
      - sparkoperator.k8s.io
    resources:
      - sparkapplications
      - sparkapplications/status
      - scheduledsparkapplications
      - scheduledsparkapplications/status
    verbs:
      - list
      - watch

Here's above cluster role binding at cluster scope:

kubectl create clusterrolebinding spark-operator-restricted \ --clusterrole=spark-operator-restricted \ --serviceaccount=spark-operator-namespace:spark-operator

Here's local binding off all Spark operator permissions from spark-operator-rbac.yaml in tenant namespace to Spark operator service account:

kubectl create rolebinding spark-operator-admin \ --clusterrole=spark-operator \ --serviceaccount=spark-operator-namespace:spark-operator \ --namespace=tenant1-namespace

I have not tested all the functionality of Spark operator and I would like this role to work with webhook, batch and pod monitor enabled.

Is the set of above permissions for restricted ClusterRole for cluster role binding for Spark operator sufficient? Have I missed any permissions?

github-actions[bot] commented 12 hours ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.