RBAC setup behind the aggregator. #936
Conversation
k8s-ci-robot
added
the
cncf-cla: yes
|
resolves #880 |
|
@kibbles-n-bytes is rbac on in jenkins CI? I'm not sure why this would fail over there. |
contrib/svc-cat-rbac.yaml
Outdated
| - apiGroup: "" | ||
| kind: ServiceAccount | ||
| name: server | ||
| namespace: catalog |
There was a problem hiding this comment.
Is this namespace right or does it need to be parameterized to match SVCCAT_NAMESPACE
There was a problem hiding this comment.
Unspecified assumption currently. Needs to be integrated into the helm chart to get parameterized.
There was a problem hiding this comment.
@MHBauer It would be best parameterized in the values.yaml file. Ping me if you want help with that
There was a problem hiding this comment.
@MHBauer I think I answered a few helm questions, and I do think the namespace should at least be parameterized in the helm chart (even though that's separate from the shell scripts, it's a step in the right direction).
Also, I had a few additions to the markdown file.
Overall, this is great.
contrib/svc-cat-rbac.yaml
Outdated
| - apiGroup: "" | ||
| kind: ServiceAccount | ||
| name: server | ||
| namespace: catalog |
There was a problem hiding this comment.
After https://github.com/kubernetes-incubator/service-catalog/pull/936/files#r121578665 is done, this should read:
namespace: {{ .Values.namespace }}
contrib/svc-cat-rbac.yaml
Outdated
| - apiGroup: "" | ||
| kind: ServiceAccount | ||
| name: server | ||
| namespace: catalog |
There was a problem hiding this comment.
Same here RE the parameterized namespace. There are some other similar changes below, but I won't comment on them all.
docs/rbac-setup.md
Outdated
| # RBAC Setup | ||
|
|
||
| If rbac is enabled, allow the service catalog to grant access for it's | ||
| service token. |
There was a problem hiding this comment.
@MHBauer could you add a bit here on what would have been set in the original helm install command, so that people know whether they enabled RBAC? It may not be obvious to a newcomer.
docs/rbac-setup.md
Outdated
|
|
||
| ## Install our rbac rules | ||
|
|
||
| See the [script in contrib](../contrib/rbac-setup.sh). See the |
There was a problem hiding this comment.
Should they run the script in contrib to install the RBAC rules? If so, can you add that little piece to the docs
| @@ -20,6 +20,7 @@ spec: | |||
| release: "{{ .Release.Name }}" | |||
| heritage: "{{ .Release.Service }}" | |||
| spec: | |||
| serviceAccountName: server | |||
There was a problem hiding this comment.
I think this and the serviceAccountName in controller-manager-deployment.yaml would be worth parameterizing in the values.yaml file as well
There was a problem hiding this comment.
The walkthrough test fails because contrib/rbac-setup.sh isn't run in contrib/hack/test_walkthrough.sh, so the service account additions here break the deployment.
We should either make these serviceAccountNames optional, or update both contrib/hack/test_walkthrough.sh and the walkthrough docs to require running contrib/rbac-setup.sh.
There was a problem hiding this comment.
sheesh. You mentioned it and tagged it for me and I still missed it. sorry guys.
|
@MHBauer I was out earlier this week, looking into this today. |
| @@ -20,6 +20,7 @@ spec: | |||
| release: "{{ .Release.Name }}" | |||
| heritage: "{{ .Release.Service }}" | |||
| spec: | |||
| serviceAccountName: server | |||
There was a problem hiding this comment.
The walkthrough test fails because contrib/rbac-setup.sh isn't run in contrib/hack/test_walkthrough.sh, so the service account additions here break the deployment.
We should either make these serviceAccountNames optional, or update both contrib/hack/test_walkthrough.sh and the walkthrough docs to require running contrib/rbac-setup.sh.
contrib/rbac-setup.sh
Outdated
| # See the License for the specific language governing permissions and | ||
| # limitations under the License. | ||
|
|
||
| SVCCAT_NAMESPACE=catalog |
There was a problem hiding this comment.
This assumes the namespace will be "catalog". This should probably be parameterized. A simple way would be:
SVCCAT_NAMESPACE="${SVCCAT_NAMESPACE:-catalog}"
contrib/rbac-setup.sh
Outdated
| kubectl create namespace ${SVCCAT_NAMESPACE} | ||
| kubectl create serviceaccount server --namespace=${SVCCAT_NAMESPACE} | ||
| kubectl create serviceaccount controller --namespace=${SVCCAT_NAMESPACE} | ||
| kubectl create -f svc-cat-rbac.yaml |
There was a problem hiding this comment.
This assumes we're running this file while in contrib/. I'd add
ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
to the top of the file, and then change the file reference to "${ROOT}/contrib/svc-cat-rbac.yaml
|
I agree that the account names need to be parameterized here. The account names need to match the rbac definition yaml. The service account creation should become part of the charts. The rbac yaml should become part of the charts. |
contrib/jenkins/init_cluster.sh
Outdated
| --clusterrole=cluster-admin --user="${ACCOUNT_NAME}" \ | ||
| || { echo 'Cannot not create cluster-admin role for service account.'; exit 1; } | ||
|
|
||
| ${ROOT}/contrib/rbac-setup.sh \ |
There was a problem hiding this comment.
maybe won't need this script at all.
There was a problem hiding this comment.
Since you got rid of it now, lines 66-68 should be removed as well.
There was a problem hiding this comment.
I am really dumb some times.
|
I think we're good now. rbac by default. At the very least it shouldn't break anything on someone running without rbac on. |
| @@ -20,6 +20,7 @@ spec: | |||
| release: "{{ .Release.Name }}" | |||
| heritage: "{{ .Release.Service }}" | |||
| spec: | |||
| serviceAccountName: controller | |||
There was a problem hiding this comment.
You still need to templatize the definition here and in apiserver-deployment.yaml.
There was a problem hiding this comment.
🦈 good eye. I'll take another pass through. Thanks!
|
@kibbles-n-bytes @arschles I can't believe you both tagged some things and I still overlooked them. Sorry about that. We should be good now. Not sure why jenkins is failing. Looks to me like it successfully installs. |
|
@MHBauer is the jenkins failure a flake? |
|
if you're testing with an apiserver build from master, kubernetes/kubernetes#46812 (comment) would have broken this a couple days ago |
|
@liggitt our apiserver stuff is somewhere between levels v1.5.5 and v1.6.0-rc1 |
|
undo! |
|
looking at https://service-catalog-jenkins.appspot.com/job/service-catalog-PR-testing2/885/ which would be a flake to me. |
|
@MHBauer As I mentioned on Slack, I believe that's the same issue I hit when trying to run this on GKE. I had to create a ClusterRoleBinding with the "cluster-admin" role before doing any of the RBAC stuff. |
| # cluster roles. Needed for RBAC setup. | ||
| ACCOUNT_NAME="$(gcloud info | grep Account | sed 's/.*\[\(.*\)\]/\1/')" | ||
| kubectl create clusterrolebinding jenkins-cluster-admin-binding \ | ||
| --clusterrole=cluster-admin --user="${ACCOUNT_NAME}" \ |
There was a problem hiding this comment.
@arschles @kibbles-n-bytes for default minikube I did
kubectl create clusterrolebinding minikube-cluster-admin-binding --clusterrole=cluster-admin --user=minikube
There was a problem hiding this comment.
Nope, did not help, same
Error: release catalog failed: clusterroles.rbac.authorization.k8s.io "servicecatalog.k8s.io:apiserver" is forbidden: attempt to grant extra privileges: [PolicyRule{Resources:["namespaces"], APIGroups:[""], Verbs:["get"]} PolicyRule{Resources:["namespaces"], APIGroups:[""], Verbs:["list"]} PolicyRule{Resources:["namespaces"], APIGroups:[""], Verbs:["watch"]}] user=&{system:serviceaccount:kube-system:default d6100657-632b-11e7-8c06-befc308e6091 [system:serviceaccounts system:serviceaccounts:kube-system system:authenticated] map[]} ownerrules=[] ruleResolutionErrors=[]
There was a problem hiding this comment.
rbac wasn't on in minikube, oops.
add --extra-config=apiserver.Authorization.Mode=RBAC
There was a problem hiding this comment.
We can add this to the walkthrough docs in a follow-up
|
@MHBauer Still investigating this failure, should have a fix out soon. |
kibbles-n-bytes
added
the
needs-rebase
|
@kibbles-n-bytes rebased on to 34ed5cd. |
kibbles-n-bytes
removed
the
needs-rebase
@MHBauer IMO it's fine to leave these |
|
@MHBauer ready to review and merge? |
| @@ -0,0 +1,127 @@ | |||
| apiVersion: v1 | |||
There was a problem hiding this comment.
@MHBauer I believe we should be able to use the following to test whether the rbac API group is available:
{{- if .Capabilities.APIVersions.Has "rbac.k8s.io/v1beta1" }}
// stuff
{{- end }}
| @@ -0,0 +1,127 @@ | |||
| apiVersion: v1 | |||
There was a problem hiding this comment.
@MHBauer I believe we should be able to use the following to test whether the rbac API group is available:
{{- if .Capabilities.APIVersions.Has "rbac.k8s.io/v1beta1" }}
// stuff
{{- end }}
charts/catalog/templates/rbac.yaml
Outdated
| items: | ||
|
|
||
| # TODO: if this is just for namespace lifecycle admission, move to a generic role | ||
| - apiVersion: rbac.authorization.k8s.io/v1beta1 |
There was a problem hiding this comment.
I believe this should be the only use for the API server, and does constitute what is necessary for namespace lifecycle admission. I'm cool calling this role something like namespace-lifecycle-admission, your choice.
There was a problem hiding this comment.
Is there more to do to address the todo? or a followup.
charts/catalog/templates/rbac.yaml
Outdated
| # TODO: do not grant global access, limit to particular secrets referenced from bindings | ||
| - apiGroups: [""] | ||
| resources: ["secrets"] | ||
| verbs: ["get","create"] |
There was a problem hiding this comment.
The controller manager deletes secrets when bindings are deleted, so delete is definitely needed.
charts/catalog/templates/rbac.yaml
Outdated
| resources: ["secrets"] | ||
| verbs: ["get","create"] | ||
| - apiGroups: [""] | ||
| resources: ["configmaps"] |
There was a problem hiding this comment.
I don't think we have any uses of configmaps in the code today, do we? Does auth delegation rely on it?
charts/catalog/templates/rbac.yaml
Outdated
| resources: ["secrets"] | ||
| verbs: ["get","create"] | ||
| - apiGroups: [""] | ||
| resources: ["configmaps"] |
There was a problem hiding this comment.
(It might be handy to comment saying what each of these permissions is used for)
charts/catalog/templates/rbac.yaml
Outdated
| - apiGroups: [""] | ||
| resources: ["namespaces"] | ||
| verbs: ["get", "list", "watch"] | ||
| - apiVersion: rbac.authorization.k8s.io/v1beta1 |
There was a problem hiding this comment.
Looks like we are missing RBAC rules for settings API group
There was a problem hiding this comment.
What should that look like?
|
I know that the 'requestheader-ca' information is looked up by the apiserver in a configmap. I know for api aggregation it's needed. Maybe for auth delegation as well. Any comment @DirectXMan12 ? |
|
What's the proper way to drop comments in? Is there a way to get the comment into kube so we know what it does later? I obviously want a very specific name, but there's only so many characters I can use in there. |
The
I think commenting in the yaml spec is good enough. |
I see that now. This was always intended as a rough draft of "what happened" when I ran some tests with the rbac in permissive mode. I don't know of any more definitive way to determine the exact permissions we may need. This is a bad UX. I'll take configmaps out and test, but it's going to delay this again. |
kibbles-n-bytes
added
the
needs-rebase
|
@kibbles-n-bytes rebase why? |
|
gotcha gotch. I'll do some refactoring of the commits while I'm rebasing. |
MHBauer
removed
the
needs-rebase
|
/retest |
|
@MHBauer Check my latest comment on |
|
@kibbles-n-bytes thanks |
yaml was generated by putting rbac into permissive mode and seeing what it would have denied. then @liggitt processed the log messages to create the output and left some suggested TODOs.
@pmorie do you undestand the leader election TODOs?
Service accounts were done to see what each server was specificly doing. We can back that out and adapt the yaml.
Need to have the auth setup as in the auth docs.