Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature]: Migrate all RBAC related resources to Helm chart's templates #259

Closed
2 tasks done
arbreezy opened this issue Nov 10, 2023 · 3 comments · Fixed by #434
Closed
2 tasks done

[Feature]: Migrate all RBAC related resources to Helm chart's templates #259

arbreezy opened this issue Nov 10, 2023 · 3 comments · Fixed by #434
Assignees
@MateSousa
Labels
good first issue

Comments

@arbreezy
Copy link
Member

Checklist

  • I've searched for similar issues and couldn't find anything matching
  • I've discussed this feature request in the K8sGPT Slack and got positive feedback

Is this feature request related to a problem?

None

Problem Description

Both manager's and k8sgpt's roles have to match in order for the former to grant permissions to K8sgpt cluster role or add the verb escalate. Following the Least privileged access idiom, would be great if we move away from the existing way of managing roles

Solution Description

Lift and shift the cluster role, bindings and service account from operator's code to Helm chart's tempates

Benefits

To be more transparent to the end users and also avoid situations like K8s API restrictions with roles which caused issues in the latest v0.0.22

Potential Drawbacks

No response

Additional Information

No response
@arbreezy arbreezy mentioned this issue Nov 10, 2023
Closed
4 tasks
@MateSousa
Copy link
Contributor

hi @arbreezy, can i do ?

@MateSousa
Copy link
Contributor

hey @arbreezy, just to make sure I got it right, i need to migrate all the RBAC from this folder config/rbac to the helm template, right?

@arbreezy
Copy link
Member Author

arbreezy commented Nov 24, 2023
edited

Hello @MateSousa let me elaborate a bit more,

At the moment we are creating with the controller the K8sGPT's role, rolebinding and service account.

There are two issues with this approach,

  1. The controller's role we define here has to match the K8sGPT's role permissions otherwise K8s API disallow the creation, although controller doesn't need those perms for its own workload
  2. In terms of readability, we want to surface those role and rolebinding and service account resources in the chart

So the proposed solution is to move them out of our codebase and include them as part of the chart's template folder
then in the deployment struct we will just reference the service account name (as we already do)

@MateSousa MateSousa mentioned this issue Nov 25, 2023
Closed
4 tasks
@MateSousa MateSousa mentioned this issue May 2, 2024
Merged
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@MateSousa MateSousa

Labels
good first issue
Projects
None yet
Milestone
No milestone
2 participants
@arbreezy @MateSousa