search

nforgeio / operator-sdk

A Kubernetes operator SDK for .NET
https://docs.neonforge.com/docs/operator-sdk
Apache License 2.0
2 stars 2 forks source link

Generated namespaced roles need to specify the namespace? #27

Closed jefflill closed 6 months ago

jefflill commented 6 months ago

The neon-cluster-operator service specifies the following RBAC rules:

[RbacRule<V1ConfigMap>(Verbs = RbacVerb.All, Scope = EntityScope.Cluster)]
[RbacRule<V1Secret>(Verbs = RbacVerb.All, Scope = EntityScope.Cluster)]
[RbacRule<V1Pod>(Verbs = RbacVerb.List, Scope = EntityScope.Namespaced, Namespace = KubeNamespace.NeonSystem)]
public partial class Service : NeonService

The OperatorSDK generates two role files:

clusterrole-neon-cluster-operator.yaml role-neon-cluster-operator.yaml

clusterrole-neon-cluster-operator.yaml looks OK:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: neon-cluster-operator
rules:
- apiGroups:
  - ""
  resources:
  - configmaps
  - namespaces
  - nodes
  - pods
  - secrets
  verbs:
  - '*'
- apiGroups:
  - ""
  resources:
  - secrets
  verbs:
  - get
  - update
- apiGroups:
  - admissionregistration.k8s.io
  resources:
  - mutatingwebhookconfigurations
  verbs:
  - '*'
- apiGroups:
  - minio.min.io
  resources:
  - tenants
  verbs:
  - '*'
- apiGroups:
  - minio.neonkube.io
  resources:
  - miniobuckets
  - miniobuckets/status
  verbs:
  - '*'
- apiGroups:
  - neonkube.io
  resources:
  - crioconfigurations
  - crioconfigurations/status
  - neonclusterjobs
  - neonclusterjobs/status
  - neoncontainerregistries
  - neoncontainerregistries/status
  - neondashboards
  - neondashboards/status
  - neonnodetasks
  - neonnodetasks/status
  - neonssocallbackurls
  - neonssocallbackurls/status
  - neonssoclients
  - neonssoclients/status
  verbs:
  - '*'

but role-neon-cluster-operator.yaml should be specifying the target namespace in it's metadata, right?

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: neon-cluster-operator
rules:
- apiGroups:
  - ""
  resourceNames:
  - neon-sso-oauth2-proxy
  resources:
  - configmaps
  verbs:
  - get
  - update
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - list
- apiGroups:
  - ""
  resources:
  - secrets
  verbs:
  - get
- apiGroups:
  - ""
  resourceNames:
  - neon-cluster-operator-webhook-tls
  resources:
  - secrets
  verbs:
  - watch
- apiGroups:
  - cert-manager.io
  resources:
  - certificates
  verbs:
  - '*'
- apiGroups:
  - coordination.k8s.io
  resources:
  - leases
  verbs:
  - '*'

So, I think the namespace role is actually being applied only to the default namespace right now.

Note that it's possible for a service to reference multiple namespaces, so you'll need to generate multiple role manifests in this file, one per referenced namespace, separating these with "---" lines.

marcusbooyah commented 6 months ago

I removed the namespace property for now since it doesn't actually do anything. Namespaced roles might be a feature we can add in the future.

Generated roles don't need to specify the namespace since tools like helm will add it for you.