Audit RBAC rules #616
Audit RBAC rules #616
Conversation
kubevirt-bot
added
dco-signoff: yes
kubevirt-bot
added
release-note
| @@ -94,14 +94,11 @@ func NewSspReconciler(client client.Client, uncachedReader client.Reader, infras | |||
|
|
|||
| var _ reconcile.Reconciler = &sspReconciler{} | |||
|
|
|||
| // +kubebuilder:rbac:groups=ssp.kubevirt.io,resources=ssps,verbs=get;list;watch;create;update;patch;delete | |||
| // +kubebuilder:rbac:groups=ssp.kubevirt.io,resources=ssps/status,verbs=get;update;patch | |||
| // +kubebuilder:rbac:groups=ssp.kubevirt.io,resources=ssps,verbs=list;watch;update | |||
There was a problem hiding this comment.
Why does SSP need to update the SSP CR?
There was a problem hiding this comment.
Without that verb, the BeforeSuite fails on this assert
ssp-operator/tests/tests_suite_test.go
Line 514 in 25b2b9a
Generation field in presence changes to it.
There was a problem hiding this comment.
No the Generation field is updated by k8s API server.
SSP operator needs to add finalizer to the SSP CR:
ssp-operator/controllers/ssp_controller.go
Lines 295 to 298 in eb60b15
There was a problem hiding this comment.
Ahh nice! Thanks for the clarifications :-)
| @@ -500,27 +423,14 @@ spec: | |||
| - virtualmachines/stop | |||
| verbs: | |||
| - update | |||
| - apiGroups: | |||
There was a problem hiding this comment.
Did you enable all feature gates during testing? SSP can deploy Tekton resources.
There was a problem hiding this comment.
Yes, Tekton tasks have also been tested.
It removes all no required RBAC rules and verbs. The used process has been a black box approach, i.e., remove all rules, deploy the operator, run functest, collect forbidden operations, add the missing rules/verbs and repeat. To ensure a better coverage, Tier 2 tests have also been run. Signed-off-by: Javier Cano Cano <jcanocan@redhat.com>
|
Kudos, SonarCloud Quality Gate passed!
|
|
V2:
|
|
/lgtm Thanks this looks good to me, any lack of coverage in CI for these rules would be a serious bug IMHO so I'm happy trusting it for now. |
|
/retest-required |
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: 0xFelix The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
kubevirt-bot
added
the
approved
What this PR does / why we need it:
As it is now, some of the RBAC rules and/or verbs are not required for the operator to be able to perform all intended operations.
This PR audits all RBAC rules. The auditory has been carried out following a black box approach, i.e., remove all rules, deploy the operator, run functest, collect forbidden operations, add the missing rules/verbs and repeat. The auditing process has been split in the next action items:
Just in case changes are not clear enough, this is a simplified and normalized diff of the
ClusterRolefile before and after: https://www.textcompare.org/?id=64a2c9d599377eb6104d8ae3The simplified version has been obtained using this script.
jira-ticket: https://issues.redhat.com/browse/CNV-24031
Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer:
Release note: