-
Notifications
You must be signed in to change notification settings - Fork 66
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Automated backport of #3040: Reduce submariner-operator RBAC permissions #3045
Automated backport of #3040: Reduce submariner-operator RBAC permissions #3045
Commits on May 6, 2024
-
Reduce submariner-operator RBAC permissions
- Remove Role wildcard access to "pods" - only "get" and "list" access is needed which is provided by the ClusterRole. - "services" are created for metrics so reduce Role access accordingly - The operator does not access "endpoints", "persistentvolumeclaims", "events", "replicasets" or "statefulsets" so remove access. - Reduce access to "deployments", "daemonsets" and "submariner.io" resources to only what's needed and remove wildcard access. Signed-off-by: Tom Pantelis <tompantelis@gmail.com>
Configuration menu - View commit details
-
Copy full SHA for 8957583 - Browse repository at this point
Copy the full SHA 8957583View commit details -
Reduce submariner-gateway RBAC permissions
- The following resources are not accessed at all so remove permissions: - "services" - "endpoints" - "events" - "configmaps" - "deployments" - "daemonsets" - "replicasets" - "statefulsets" - "customresourcedefinitions", - "operator.openshift.io/dnses" - "config.openshift.io/networks" - "monitoring.coreos.com/servicemonitors" - The gateway pod is annotated - it only needs "get" and "update" access - Remove wildcard access to "submariner.io" resources and specify exactly what's needed. - Reduce "configmaps" access to just "get". Signed-off-by: Tom Pantelis <tompantelis@gmail.com>
Configuration menu - View commit details
-
Copy full SHA for 83d9e8d - Browse repository at this point
Copy the full SHA 83d9e8dView commit details -
Reduce submariner-routeagent RBAC permissions
- The following resources are not accessed so remove permissions: - "services" - "endpoints" - "events" - "deployments" - "daemonsets" - "replicasets" - "statefulsets" - "customresourcedefinitions", - "operator.openshift.io/dnses" - "monitoring.coreos.com/servicemonitors" - Reduce access to "pods", "services", "secrets", "configmaps", and "endpoints" to "get" and "list" - Remove wildcard access to "submariner.io" resources and specify exactly what's needed. Signed-off-by: Tom Pantelis <tompantelis@gmail.com>
Configuration menu - View commit details
-
Copy full SHA for 2dcc01a - Browse repository at this point
Copy the full SHA 2dcc01aView commit details -
Reduce submariner-globalnet RBAC permissions
- The following resources are not accessed at all so remove permissions: - "services" - "endpoints" - "persistentvolumeclaims" - "events" - "configmaps" - "secrets" - "deployments" - "daemonsets" - "replicasets" - "statefulsets" - "namespaces" - "monitoring.coreos.com/servicemonitors" - Reduce "pods" access to only "get", "list", "watch" Signed-off-by: Tom Pantelis <tompantelis@gmail.com>
Configuration menu - View commit details
-
Copy full SHA for b3c6221 - Browse repository at this point
Copy the full SHA b3c6221View commit details -
Reduce lighthouse-agent RBAC permissions
- Remove "update" access to "services", "namespaces" and "endpoints". - Remove wildcard access to "multicluster.x-k8s.io" resources and specify exactly what's needed. Signed-off-by: Tom Pantelis <tompantelis@gmail.com>
Configuration menu - View commit details
-
Copy full SHA for b4bbee5 - Browse repository at this point
Copy the full SHA b4bbee5View commit details -
Reduce lighthouse-coredns RBAC permissions
- The following resources are not accessed so remove permissions: - "services" - "endpoints" - "namespaces" - Reduce "endpointslices" access to "get", "list", and "watch" Signed-off-by: Tom Pantelis <tompantelis@gmail.com>
Configuration menu - View commit details
-
Copy full SHA for bec3ee3 - Browse repository at this point
Copy the full SHA bec3ee3View commit details -
Re-generate pkg/embeddedyamls/yamls.go
Signed-off-by: Tom Pantelis <tompantelis@gmail.com>
Configuration menu - View commit details
-
Copy full SHA for 0782515 - Browse repository at this point
Copy the full SHA 0782515View commit details -
Adjust code in order to remove operator RBAC permissions for namespaces
We grant namespace read permissions which is only needed to query for the existence of the "openshift-monitoring" namespace to determine where to create ServiceMonitors. However we can eliminate this query and thus the permissions by trying to create ServiceMonitors in the "openshift-monitoring" namespace and, if the error indicates the namespace is missing, create in the provided namespace. Signed-off-by: Tom Pantelis <tompantelis@gmail.com>
Configuration menu - View commit details
-
Copy full SHA for 04d57f2 - Browse repository at this point
Copy the full SHA 04d57f2View commit details -
Restrict config.openshift.io/networks RBAC permissions
This resource type is only used for network settings discovery to query the "cluster" Network so restrict the RBAC to only "get" access to the "cluster" resource name. This applies to both the submariner-operator: https://github.com/submariner-io/submariner/blob/85fea596f30b0e84d6962c92bb129a6b8bce8028/pkg/routeagent_driver/handlers/ovn/connection.go#L358 and route-agent components: https://github.com/submariner-io/submariner/blob/85fea596f30b0e84d6962c92bb129a6b8bce8028/pkg/routeagent_driver/handlers/ovn/connection.go#L358 Signed-off-by: Tom Pantelis <tompantelis@gmail.com>
Configuration menu - View commit details
-
Copy full SHA for 8a063f9 - Browse repository at this point
Copy the full SHA 8a063f9View commit details -
Restrict operator ClusterRole*, ServiceAccount permissions
These were added for network-plugin syncer removal so retrict the delete permissions to the networkplugin-syncer resource names. Signed-off-by: Tom Pantelis <tompantelis@gmail.com>
Configuration menu - View commit details
-
Copy full SHA for 70d6587 - Browse repository at this point
Copy the full SHA 70d6587View commit details