OPA, Kubernetes role/rolebinding and strimzi

[gwenael-lebarzic]

Hello.

I open this issue because I am trying to use OPA as an authorization system for apache Strimzi (kafka cluster on Kubernetes).

I'm working on a Kubernetes cluster where I am not admin. I work in a namespace my-namespace, where I am admin of the namespace.

I try to deploy OPA like this :

apiVersion: apps/v1
kind: Deployment
metadata:
  name: opa
  labels:
    app: opa
spec:
  replicas: 1
  selector:
    matchLabels:
      app: opa
  template:
    metadata:
      labels:
        app: opa
      name: opa
    spec:
      securityContext:
        runAsUser: 1001
        fsGroup: 1001
      containers:
      - name: kube-mgmt
        image: openpolicyagent/kube-mgmt:8.3.0
        args:
          - "--replicate=kafka.strimzi.io/v1beta2/kafkatopics"
          - "--replicate=kafka.strimzi.io/v1beta2/kafkausers"
          - "--namespaces=my-namespace"
        resources:
          requests:
            memory: 500Mi
            cpu: "1"
          limits:
            memory: 500Mi
            cpu: "1"
      - name: opa
        image: openpolicyagent/opa:0.57.0
        resources:
          requests:
            memory: 1Gi
            cpu: "4"
          limits:
            memory: 1Gi
            cpu: "4"
        ports:
        - name: http
          containerPort: 8181
        args:
        - "run"
        - "--ignore=.*"  # exclude hidden dirs created by Kubernetes
        - "--server"
        - "/policies"
        volumeMounts:
        - readOnly: true
          mountPath: /policies
          name: kafka-policies
      volumes:
      - name: kafka-policies
        configMap:
          name: kafka-policies

When I deploy the opa container like this, with kube-mgmt container, I can see the following errors in the logs of opa container :

E1018 08:27:20.433570       1 reflector.go:138] k8s.io/client-go@v0.23.8/tools/cache/reflector.go:167: Failed to watch *unstructured.Unstructured: failed to list *unstructured.Unstructured: kafkatopics.kafka.strimzi.io is forbidden: User "system:serviceaccount:my-namespace:default" cannot list resource "kafkatopics" in API group "kafka.strimzi.io" at the cluster scope
W1018 08:27:26.511207       1 reflector.go:324] k8s.io/client-go@v0.23.8/tools/cache/reflector.go:167: failed to list *unstructured.Unstructured: kafkausers.kafka.strimzi.io is forbidden: User "system:serviceaccount:my-namespace:default" cannot list resource "kafkausers" in API group "kafka.strimzi.io" at the cluster scope

I created my custom resources kafkaTopics and kafkaUsers in my namespace my-namespace. Is it possible to make OPA work with a service account without clusterRole ?

I tried to create a role and a rolebinding for the default service account of my namespace :

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: strimzi-view
  labels:
    app: strimzi
    # Add these permissions to the "view" default role.
    rbac.authorization.k8s.io/aggregate-to-view: "true"
rules:
  - apiGroups:
      - "kafka.strimzi.io"
    resources:
      - kafkas
      - kafkaconnects
      - kafkamirrormakers
      - kafkausers
      - kafkatopics
      - kafkabridges
      - kafkaconnectors
      - kafkamirrormaker2s
      - kafkarebalances
    verbs:
      - get
      - list
      - watch

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: strimzi-opa
  labels:
    app: strimzi
subjects:
  - kind: ServiceAccount
    name: default
roleRef:
  kind: Role
  name: strimzi-view
  apiGroup: rbac.authorization.k8s.io

But it does not help sadly.

Is it possible to use OPA like I try, only to handle authorizations for a kafka cluster with strimzi operator and not being admin of the kubernetes cluster ?

Originally posted by @gwenael-lebarzic in https://github.com/open-policy-agent/community/discussions/501

[eshepelyuk]

I don't think it's currently possible without adjusting kube-mgmt code, since resource replicator requires cluster role.

[gwenael-lebarzic]

Hello eshepelyuk.

Thank you for this information.