add expanded cluster-reader role rules #112

richm · 2019-02-26T23:34:36Z

the cluster-logging-operator needs the cluster-reader clusterrole
rights - we cannot add a roleRef: cluster-reader so add the
full list of rules from oc get clusterrole cluster-reader
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1680504

richm · 2019-02-26T23:34:55Z

@jcantrill @ewolinetz

SamiSousa

Is it possible to consolidate some of these roles? I was following the messages on the forum, and was wondering if this could be reduced in any way.
Lines of code isn't being enforced, but minimizing rbac for each operator is preferable.

SamiSousa · 2019-02-27T01:06:09Z

community-operators/cluster-logging/clusterlogging.v0.0.1.clusterserviceversion.yaml

+          - ""
+          - route.openshift.io
+          resources:
+          - routes/status


Can this role be consolidated with the role above? They have the same api group and verbs

/me wishes the output of oc get clusterrole cluster-reader -o yaml would be already condensed . . .

you mean, something like this?

- apiGroups: - "" - route.openshift.io resources: - routes - routes/status verbs: - get - list - watch

?

Yeah just like that. That's effectively the same role as far as I can tell.

This is what I did to get the list of `cluster-reader` rules to add to the `clusterPermissions`: - on a current cluster, `oc get clusterrole cluster-reader -o yaml` - edit the file so that it contained just the list of rules - run through a python script to "de-dup" the rules For example, change this: ```yaml - apiGroups: - "" - route.openshift.io resources: - routes/status verbs: - get - list - watch - apiGroups: - "" - route.openshift.io resources: - routes verbs: - get - list - watch ``` to this ``` - apiGroups: - "" - route.openshift.io resources: - routes - routes/status verbs: - get - list - watch ``` There were several such cases in the cluster-reader role definition.

richm · 2019-02-27T21:26:57Z

note - not the same as cluster-reader - I had to remove this:

        - apiGroups:
          - build.openshift.io
          resources:
          - jenkins
          verbs:
          - view

because it failed verb validation - view is not a valid verb

enj · 2019-02-27T21:54:23Z

/hold

cluster reader changes every release, and is an aggregated cluster role that can be expanded based on other installed components. Any attempt to copy it is brittle.

richm · 2019-02-27T22:31:17Z

ok - so what are our alternatives?

I requested that support for a list of roleRef be added to OLM need ability to specify roleRef in permissions operator-lifecycle-manager#732 - but @ecordell says that OLM already supports the ability to specify a ClusterRoleBinding in the manifest, but https://github.com/operator-framework/community-operators doesn't - so he suggested I file an issue with them - this would afaict allow us to specify roleRef: cluster-reader in the manifest
We can investigate, and with some trial&error, pare down the list of rules needed by fluentd and therefore cluster-logging-operator, in order to have the minimum necessary permissions

Not sure how long either of these will take, and in the meantime, logging is blocked due to https://bugzilla.redhat.com/show_bug.cgi?id=1680504 . . .

enj · 2019-02-27T22:36:14Z

We can investigate, and with some trial&error, pare down the list of rules needed by fluentd and therefore cluster-logging-operator, in order to have the minimum necessary permissions

That seems like the best approach.

richm · 2019-02-28T15:29:47Z

closing in favor of openshift/cluster-logging-operator#106

openshift-ci-robot requested review from awgreene and SamiSousa February 26, 2019 23:34

openshift-ci-robot added the size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. label Feb 26, 2019

SamiSousa reviewed Feb 27, 2019

View reviewed changes

richm force-pushed the logging-add-expanded-cluster-reader branch from 139ce43 to 13e38a5 Compare February 27, 2019 18:28

openshift-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. labels Feb 27, 2019

richm mentioned this pull request Feb 27, 2019

need ability to specify roleRef in permissions operator-framework/operator-lifecycle-manager#732

Closed

richm force-pushed the logging-add-expanded-cluster-reader branch from 13e38a5 to 252f4f2 Compare February 27, 2019 21:23

openshift-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Feb 27, 2019

richm closed this Feb 28, 2019

richm deleted the logging-add-expanded-cluster-reader branch February 28, 2019 15:29

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

add expanded cluster-reader role rules #112

add expanded cluster-reader role rules #112

richm commented Feb 26, 2019

richm commented Feb 26, 2019

SamiSousa left a comment

SamiSousa Feb 27, 2019

richm Feb 27, 2019

SamiSousa Feb 27, 2019

richm commented Feb 27, 2019

enj commented Feb 27, 2019

richm commented Feb 27, 2019

enj commented Feb 27, 2019

richm commented Feb 28, 2019

add expanded cluster-reader role rules #112

add expanded cluster-reader role rules #112

Conversation

richm commented Feb 26, 2019

richm commented Feb 26, 2019

SamiSousa left a comment

Choose a reason for hiding this comment

SamiSousa Feb 27, 2019

Choose a reason for hiding this comment

richm Feb 27, 2019

Choose a reason for hiding this comment

SamiSousa Feb 27, 2019

Choose a reason for hiding this comment

richm commented Feb 27, 2019

enj commented Feb 27, 2019

richm commented Feb 27, 2019

enj commented Feb 27, 2019

richm commented Feb 28, 2019