Add permissions on hnc CRDs to default clusterRoles: cluster-reader, view, edit, admin

kubernetes-sigs / hierarchical-namespaces

Home of the Hierarchical Namespace Controller (HNC). Adds hierarchical policies and delegated creation to Kubernetes namespaces for improved in-cluster multitenancy.

Apache License 2.0

610 stars 105 forks source link

Add permissions on hnc CRDs to default clusterRoles: cluster-reader, view, edit, admin #318

Closed zfrhv closed 7 months ago

zfrhv commented 1 year ago

Changing permissions to default clusterRoles. Each user that has admin/edit can manage sub-namespaces and HRQs Each user that has view/cluster-reader can see all hnc CRs

Related to: #317

k8s-ci-robot commented 1 year ago

Hi @zfrhv. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.

zfrhv commented 1 year ago

Also does hnc supposed to have cluster-admin?: https://github.com/kubernetes-sigs/hierarchical-namespaces/blob/master/config/rbac/role.yaml#L19C1-L24C8

adrianludwin commented 1 year ago

Also does hnc supposed to have cluster-admin?: https://github.com/kubernetes-sigs/hierarchical-namespaces/blob/master/config/rbac/role.yaml#L19C1-L24C8

Basically, yes, since HNC can be used to copy any namespaced object. If there were a way to only give permissions for namespaced objects we'd do that, but AFAIK this doesn't exist.

Individual HNC users can easily restrict HNC to only have access to an allowlisted set of resources, but this is the only default that will reliably work in all cases.

zfrhv commented 1 year ago

If there were a way to only give permissions for namespaced objects we'd do that, but AFAIK this doesn't exist.

Isn't thats what the operatorGroups are made for?
When installing an operator with OLM operatorGroup must exist, and there you can specify the list of the namespaces on which the operator will have permissions.
You can even use a label selector, just put the label on the namespace and the operator should get control of it. I hope I'm not mistaken.

adrianludwin commented 1 year ago

OperatorGroups appear to only be an OpenShift concept, not a K8s concept. So I can't comment on that... plus from your description it's a way to select the namespaces for the operator, but not the types of objects.

zfrhv commented 1 year ago

OperatorGroups appear to only be an OpenShift concept

OLM can be installed in kubernetes, but I understand if you dont want to use it because probably most of kubernetes people dont use it.

plus from your description it's a way to select the namespaces for the operator, but not the types of objects.

Im pretty sure you can configure the objects that you need the permissions for, and OLM will create permissions for those objects in the listed namespaces (maybe you can specify *)

I'm not too confident because the only operator I made was from helm chart, and it was bad quality.

zfrhv commented 12 months ago

Also I didn't knew i had to update incubator/hnc/config/rbac/kustomization.yaml so imma do that

rjbez17 commented 10 months ago

/ok-to-test

/assign @adrianludwin

adrianludwin commented 10 months ago

Failure looks unrelated, probably just a flake?

/lgtm /retest

k8s-triage-robot commented 7 months ago

The Kubernetes project currently lacks enough contributors to adequately respond to all PRs.

This bot triages PRs according to the following rules:

After 90d of inactivity, lifecycle/stale is applied
After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
After 30d of inactivity since lifecycle/rotten was applied, the PR is closed

You can:

Mark this PR as fresh with /remove-lifecycle stale
Close this PR with /close
Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

rjbez17 commented 7 months ago

/remove-lifecycle stale

rjbez17 commented 7 months ago

/lgtm /approve

k8s-ci-robot commented 7 months ago

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: rjbez17, zfrhv

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files: - ~~[OWNERS](https://github.com/kubernetes-sigs/hierarchical-namespaces/blob/master/OWNERS)~~ [rjbez17] Approvers can indicate their approval by writing `/approve` in a comment Approvers can cancel approval by writing `/approve cancel` in a comment