-
Notifications
You must be signed in to change notification settings - Fork 443
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Narrow and explicit RBAC #1639
Comments
Can you add more info? |
Updated the OP |
Thank you for creating this @maanur. /priority p1 |
I'll look into the issue, but I may need help with testing because of lack of free time. After that I'd be willing to switch the operator's scope to multiple namespaces instead of a whole cluster, as the current level of privileges is not necessary in fact (remember Is this plan acceptable? @andreyvelich |
Yes, partially. I suppose the particular problem of deploying multiple controllers can be solved by OLM and its OperatorGroups, but that can be considered a separate feature. |
@maanur I think that also requires additional proposal on how we want to implement this. Let's start with removing redundant access from the ClusterRole, after that we can discuss about role-based access. |
I have fixed the cluster role rules in #1768 and documented the remaining problems. |
|
We use Katib with customized RBAC in a desperate attempt to fit in corporate information security requirements. I've never posted it here, because I believe that RBAC manifests should be autogenerated from in-code markings, for example, by kubebuilder. Take a look, please. @juliusvonkohout @andreyvelich |
@maanur Can you create a PR which would be easy to review? |
Ok, I'll create PR after adding some comments to the yaml, but I really see it as a temporary solution. |
I meant, Do you have a narrowed set of RBAC rules? |
Yes, I have, but I'd better suggest a more sustainable solution. |
What do you have in mind? |
/kind feature
I am trying to deploy Katib in an enterprise environment and have some hard time explaining Katib's requested RBAC
rules. It would be much appreciated if ClusterRole explicitly declared only necessary verbs for each individual resource.
Look at this:
Full access for Namespaces, Roles and RoleBindings effectively gives Katib unconstrained privileges to do anything it wants. This is plainly unacceptable in my case.
I suggest that ClusterRoles would be narrow and explicit like that:
E.g. let's get rid of those stars in rules.verbs and olso remove unnecessary verbs from there
The text was updated successfully, but these errors were encountered: