Audit RBAC rules for Controller / Webhook to minimal set. #982
Comments
|
We should audit the verbs as well as cluster/namespace access rights for each of the resources. |
vaikas
changed the title
Roles so the webhook doesn't have access to all secrets everywhere. Seems like maybe configmaps and deployments permissions could also be namespaced.
|
This is a follow-up issue to #872 where we created explicit ServiceAccounts and Bindings so that we have better control on what is required to run these pieces and what access they have. We should audit and minimize the required access. |
|
These should be good, let's open explicit bugs if this is not the case. |
matzew
pushed a commit
to matzew/eventing
that referenced
this issue
Nov 19, 2020
* Eventing upgrade tests prober fully configurable (knative#4421) * Eventing upgrade tests prober fully configurable * Embedding configuration structs * Reduce a test name length to prevent DNS label too long error (knative#4442) Having too long namespace or kservice name can lead to an error like: ``` $ host wathola-receiver-test-continuous-events-propagation-with-prober-zxmkp.apps.example.org host: 'wathola-receiver-test-continuous-events-propagation-with-prober-zxmkp.apps.example.org' is not a legal IDN name (domain label longer than 63 characters), use +noidnin ``` In this case my namespace is test-continuous-events-propagation-with-prober-zxmkp and knative service name is wathola-receiver. The namespace is taken from Go test method name. The limit is 63 characters. In this example the subdomain is 69 characters. This does affect OpenShift Serverless as kservices there have a URL format of `${ksvc.name}-${ksvc.namespace}` to enable usage of TLS wildcard certificates. Reducing this test method name length will help fit within this strict limit of 63 chars. * Use deployment to avoid disparity in effective user (knative#4445) On OpenShift we've observed a disparity when using pods vs deployments. Using both of those can lead to having different effective user for a bare pods and pods managed by deployment. That leads to differences in reading a config file by wathola components, as `~` points to different places sender and receiver+forwarder. This changes the code to avoid using bare pods for wathola components. * Refactor fetching of wathola receiver's delivery report using special batch Job (knative#4460) * Reimplementing fetching of wathola report with K8s job This change targets the problem of how to get report from cluster. Clusters may have different networking setup, and it might not be possible to directly make HTTP request from outside of cluster. Previous approach used to guess an external address of cluster. That for sure fails on OpenShift deployed on AWS. This approach deploys a special Job that, being inside cluster, can download a report and print it in it's logs. Then test client can fetch logs of completed job, and parse it, replay the logs, and process report further. * Removal of unneeded external node address package * Fixing lints & boilerplate * spec.template.spec.restartPolicy=never * Apply @devguyio suggestions for test/upgrade/README.md Co-authored-by: Ahmed Abdalla Abdelrehim <aabdelre@redhat.com> * Changes after review Co-authored-by: Ahmed Abdalla Abdelrehim <aabdelre@redhat.com> Co-authored-by: Ahmed Abdalla Abdelrehim <aabdelre@redhat.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I wonder if this is a candidate for a (namespaced)
Roleso the webhook doesn't have access to all secrets everywhere. Seems like maybe configmaps and deployments permissions could also be namespaced.Originally posted by @grantr in #872
The text was updated successfully, but these errors were encountered: