search

submariner-io / submariner-operator

Operator that deploys the various Submariner components.
Apache License 2.0
105 stars 66 forks source link

RBAC should be auto-generated #1105

Open skitt opened 3 years ago

skitt commented 3 years ago

We should generate the RBAC declarations from code (see the TODO in controllers/submariner/broker_controller.go). The resulting YAML files could also be re-used for the operator bundle, and the RBAC-declaration code in pkg/broker/rbac.go would no longer be necessary.

mangelajo commented 3 years ago

@skitt @SteveMattar shall this be an item for 0.9.0? sounds risky to me.

skitt commented 3 years ago

I’ve got a patch in progress for this, but it is indeed somewhat risky (although the code generates files we can compare with the existing setup, so it’s easy enough to verify). I’ve moved it to 0.10.

SteveMattar commented 3 years ago

I agree let's wait with this

SteveMattar commented 3 years ago

The kustomize part is handled in this patch: https://github.com/submariner-io/submariner-operator/pull/1375

stale[bot] commented 3 years ago

This issue has been automatically marked as stale because it has not had activity for 60 days. It will be closed if no further activity occurs. Please make a comment if this issue/pr is still valid. Thank you for your contributions.

stale[bot] commented 2 years ago

This issue has been automatically marked as stale because it has not had activity for 60 days. It will be closed if no further activity occurs. Please make a comment if this issue/pr is still valid. Thank you for your contributions.

dfarrell07 commented 1 year ago

@skitt Do you have any pointers about how this should be done?

skitt commented 1 year ago

The relevant section in the Operator SDK documentation is https://sdk.operatorframework.io/docs/building-operators/golang/operator-scope/#restricting-roles-and-permissions

The kubebuilder reference is https://book.kubebuilder.io/reference/markers/rbac.html

See https://github.com/skitt/submariner-operator/pull/16 where I started working on this a while back — my process then was to compare the generated RBAC with the RBAC we had in our YAML files, determine whether a missing permission was significant, and add the corresponding annotation.

dfarrell07 commented 1 year ago

Relates to https://github.com/submariner-io/submariner-operator/issues/1240 and https://github.com/submariner-io/submariner-operator/issues/1241

skitt commented 1 year ago

See https://github.com/operator-framework/operator-sdk/issues/6100 for namespace permissions instead of cluster permissions.

dfarrell07 commented 1 year ago

I should stop beating my head against this and ask...what about the non-operator roles? I went through some ideas that turned out obviously-in-retrospect bad, like annotating some calls with extra permissions to try to cover them or cloning the other repos during generation.

dfarrell07 commented 1 year ago

I should stop beating my head against this and ask...what about the non-operator roles? I went through some ideas that turned out obviously-in-retrospect bad, like annotating some calls with extra permissions to try to cover them or cloning the other repos during generation.

Still not sure what to do about roles that are currently hosted in the operator repo but with code-to-annotate in other repos, how to connect them to the automated generation.