Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow viewers to read SealedSecrets #540

Closed
wants to merge 1 commit into from
Closed

Allow viewers to read SealedSecrets #540

wants to merge 1 commit into from

Conversation

mkilchhofer
Copy link

@mkilchhofer mkilchhofer commented Feb 25, 2021
edited
Loading

Since SealedSecrets only contains encrypted data, we allow reading this kind of resource for
users with view permissions. There's an existing "view" role (besides "edit" and "admin") in every cluster
which gets updated with ClusterRoles containing special aggregate instructions via annotations:

rbac.authorization.k8s.io/aggregate-to-view: "true"
rbac.authorization.k8s.io/aggregate-to-edit: "true"
rbac.authorization.k8s.io/aggregate-to-admin: "true"

The view role in my use case is also used by event exporters (ie. the one provided by Opsgenie). All occurring
events are received, enriched with the metadata of the relevant object and forwarded to an arbitrary
monitoring/log system of choice. Without this role the event exporter cannot read the SealedSecrets object.

mkmik
mkmik reviewed Feb 25, 2021
View reviewed changes
helm/sealed-secrets/templates/cluster-role.yaml
Comment on lines +56 to +57
rbac.authorization.k8s.io/aggregate-to-edit: "true"
rbac.authorization.k8s.io/aggregate-to-admin: "true"
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

are these really necessary?

@mkmik
Copy link
Collaborator

mkmik commented Feb 25, 2021

I'm a bit confused; I've worked in clusters where I had only read-only access and I remember I was able to see all resources in all the namespaces I had access.

Does this PR adds the ability for people to see SealedResources of namespaces I wouldn't otherwise have access?

@mkilchhofer
Copy link
Author

mkilchhofer commented Feb 25, 2021
edited
Loading

This PR adds the ability to gain cluster-wide view access through the existing ClusterRole "view". There are several ways to provide view access.

In a up-to-date cluster there are 3 special ClusterRoles which can be bound with a ClusterRolebinding:

  • view
  • edit
  • admin

Several projects use this pattern:

@mkmik
Copy link
Collaborator

mkmik commented Feb 26, 2021

Ok.thanks. can you please undo the version bump to the chart version? I'd like to add this also to the standalone yaml manifest (generated from the controller.jsonnet) and make a new release of both sealed-secrets and the helm chart combined

@mkilchhofer
Allow viewers to read SealedSecrets
e6fac7f 
Since SealedSecrets only contains encrypted data, we allow reading this kind of resource for
users with view permissions. There's an existing "view" role (besides "edit" and "admin") in every cluster
which gets updated with ClusterRoles containing special aggregate instructions via annotations:
~~~
rbac.authorization.k8s.io/aggregate-to-view: "true"
rbac.authorization.k8s.io/aggregate-to-edit: "true"
rbac.authorization.k8s.io/aggregate-to-admin: "true"
~~~
The view role in my use case is also used by event exporters (ie. the one provided by Opsgenie). All occurring
events are received, enriched with the metadata of the relevant object and forwarded to an arbitrary
monitoring/log system of choice. Without this role the event exporter cannot read the SealedSecrets object.
@mkilchhofer
Copy link
Author

mkilchhofer commented Feb 26, 2021
edited
Loading

can you please undo the version bump to the chart version?

Done :)
Regarding the change in general, I have no problem when you challenge me, maybe there are other solutions for this. But as I saw how the mentioned three projects solves this, I thought this would be a good idea. And it works for me: mkilchhofer/k8s-gitops@0643837

@disposab1e disposab1e mentioned this pull request Mar 24, 2021
Open
@mkilchhofer
Copy link
Author

Hi @mkmik ,
Is there anything open for discussing, or is it ready to merge?

@mkilchhofer mkilchhofer deleted the feature/add_view_clusterrole_to_helm branch January 15, 2022 17:20
@mkmik
Copy link
Collaborator

mkmik commented Jan 15, 2022

@juan131 can you please take a look if this is still relevant?

@juan131
Copy link
Collaborator

juan131 commented Feb 3, 2022

@mkilchhofer sorry but I just saw this.. Would you be willing to reopen this PR so we can reconsider it?

@juan131 juan131 added backlog Issues/PRs that will be included in the project roadmap enhancement labels Feb 3, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mkmik mkmik mkmik left review comments

Assignees
No one assigned
Labels
backlog Issues/PRs that will be included in the project roadmap enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@mkilchhofer @mkmik @juan131