Add support for ClusterRole AggregationRule during bundle generation #6978
Conversation
|
@zimnx - please sign the DCO. |
zimnx
force-pushed
the
support-aggregated-clusterroles
branch
from
8141b30 to
0ac4a86
Compare
Done @jberkhahn @rashmigottipati Kind reminder about this PR, I would appreciate feedback. |
|
This is on our path for OpenShift certification. It'd be great if it can get reviewed. |
|
@grokspawn perhaps you could take a look? It didn't get much attention. Thanks in advance! |
There was a problem hiding this comment.
Thanks for this PR and sorry for the delay, I only can look at this project in my free time.
I have a couple of comments, one about the unit test is marked as such. Along with the unit test changes, we'd also want to update our integration tests to make sure that an operator with these rules in their config/rbac has a bundle that is generated properly, and that the operator can run in a cluster. to update the unit integration tests, you can look at hack/generate/samples/internal/go/memcached-with-customization/memcached_with_customization.go to see how we post process the operator's directories and add in the necessary things to fully test different scaffoling options, ontop of what you get from kubebuilder (which operator-sdk is based on).
internal/generate/clusterserviceversion/clusterserviceversion_updaters_test.go
Show resolved
Hide resolved
zimnx
force-pushed
the
support-aggregated-clusterroles
branch
from
0ac4a86 to
980ea04
Compare
Thanks for hints, I've added ClusterRole having AggregatedRule to integration tests. |
zimnx
force-pushed
the
support-aggregated-clusterroles
branch
from
980ea04 to
5b6b5fe
Compare
zimnx
force-pushed
the
support-aggregated-clusterroles
branch
from
5b6b5fe to
4f26287
Compare
|
@zimnx Can you create a new changlog fragment as an addition for this? The initial comment lays out how to accomplish that. |
| } | ||
|
|
||
| // getClusterRoleRules returns all PolicyRules for a given ClusterRole, including rules from aggregated ClusterRoles | ||
| // as specified by the AggregationRule. It recursively collects rules from other ClusterRoles that match the label selectors |
There was a problem hiding this comment.
The GoDoc comment mentions that this recursively collect rules from other ClusterRoles that match the aggregation label. But I think I only see one level of collection happening?
What if we have:
- ClusterRole
Awith AggregationRule that matchesfoo: "bar"with rulesX - ClusterRole
Bwith labelfoo: "bar"and an AggregationRule that matchesfizz: "buzz"with rulesY - ClusterRole
Cwith labelfizz: "buzz"with rulesZ
I think I would expect calling this function on ClusterRole A to return rules X, Y, and Z?
There was a problem hiding this comment.
Thanks for spotting. GoDoc comment is incorrect.
Policy rules are not aggregated recursively:
https://github.com/kubernetes/kubernetes/blob/release-1.34/pkg/controller/clusterroleaggregation/clusterroleaggregation_controller.go#L84-L125
Fixed the comment to reflect function semantic.
There was a problem hiding this comment.
Are you sure they are not aggregated recursively (at least in effect)?
It looks like a "sync" goes and fetches rules from cluster roles (let's call them C and D) that match the aggregation label in cluster role B and then syncs those rules into the aggregated role B. So at the end of a sync, B actually contains rules from C and D.
If there is another cluster role A that has an aggregation rule that selects B, then at some point A will sync, see the aggregated rules in B and pull those rules into A. So eventually, A will have rules from B, C, and D.
ClusterRoles that use an AggregationRule often do not have any rules defined directly. Instead, their rules are aggregated from other ClusterRoles that match the AggregationRule’s label selector. The existing generator logic only included rules from ClusterRoles that were explicitly bound via ClusterRoleBindings to the ServiceAccounts used by Deployments. Since ClusterRoles with an AggregationRule typically lack direct rule definitions, the resulting permission bundle ended up being empty. This update adds support for handling ClusterRoles that use an AggregationRule. Signed-off-by: Maciej Zimnoch <[email protected]>
Signed-off-by: Maciej Zimnoch <[email protected]>
Signed-off-by: Maciej Zimnoch <[email protected]>
zimnx
force-pushed
the
support-aggregated-clusterroles
branch
from
4f26287 to
ed1fffb
Compare
yes, added. |
|
Hi @jberkhahn @rashmigottipati @acornett21 @joelanford All comments have been addressed and the tests are passing - are we good to merge this? |
Hi @mflendrich All comments haven't been addressed, the below is still open |
Description of the change:
ClusterRoles that use an AggregationRule often do not have any rules defined directly. Instead, their rules are aggregated from other ClusterRoles that match the AggregationRule’s label selector.
The existing generator logic only included rules from ClusterRoles that were explicitly bound via ClusterRoleBindings to the ServiceAccounts used by Deployments. Since ClusterRoles with an AggregationRule typically lack direct rule definitions, the resulting permission bundle ended up being empty.
Motivation for the change:
Improve user experience of bundle generator for users using ClusterRole AggregationRule.
Checklist
If the pull request includes user-facing changes, extra documentation is required:
changelog/fragments(seechangelog/fragments/00-template.yaml)website/content/en/docsFixes #6977