Only add cluster role permissions for enabled sources #2413
Conversation
k8s-ci-robot
added
the
cncf-cla: yes
k8s-ci-robot
added
the
size/S
|
@haines have you tested this locally? It looks good to me but I'd like to know that if a source is set that it'll continue working. |
haines
force-pushed
the
helm-chart-cluster-role-permissions
branch
from
e97f0d3 to
fdcc0d4
Compare
k8s-ci-robot
added
size/M
|
@stevehipwell I've reviewed the code for those sources and found that some of them have informers for multiple resource kinds, so the permissions have some degree of overlap. See what you think - I haven't attempted to deduplicate (so if you use both I've also tested all the sources on a local cluster with the updated chart and they are working correctly in dry-run mode. |
|
@haines I thought that might be the case. Wouldn't it be clearer to only have each rule once but have it enabled via an For example. {{- if or (or (has "node" .Values.sources) (has "pod" .Values.sources)) (has "service" .Values.sources) }}
- apiGroups: [""]
resources: ["nodes"]
verbs: ["list","watch"]
{{- end }} |
Personally, I found it clearer to just have a separate block for each source; I find those What about including a comment in the generated manifest to show those blocks, so the template can be easier to read but also produce less confusing output? So something like {{- if has "ingress" .Values.sources }}
# permissions for "ingress" source
- apiGroups: ["extensions","networking.k8s.io"]
resources: ["ingresses"]
verbs: ["get","watch","list"]
{{- end }}
{{- if has "istio-gateway" .Values.sources }}
# permissions for "istio-gateway" source
- apiGroups: ["networking.istio.io"]
resources: ["gateways"]
verbs: ["get","watch","list"]
{{- end }}
... |
|
@haines the chains add a bit of complexity for chart development, but result in much cleaner manifests for the end users. I'd much prefer the pattern that results in clearer outputs for the users. |
haines
force-pushed
the
helm-chart-cluster-role-permissions
branch
from
fdcc0d4 to
8b5bcb4
Compare
k8s-ci-robot
added
size/S
|
@stevehipwell done! I think it's pretty readable in the end - I realised the I'll submit a PR to the Helm docs which incorrectly state that |
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: haines, stevehipwell The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
@Raffo the release process worked correctly!! 🥳 |
|
That is very good to hear! |
Following up on a previous discussion, this PR changes the cluster role permissions to only include permissions for enabled sources. This doesn't require any additional configuration by the end user, because we know which permissions need to be added based on the sources selected in
.Values.sources.We run external-dns with only one source (
istio-gateway), so we don't need to grant it permission to access endpoints, ingresses, nodes, pods, or services; the existing setup in the chart grants these permissions regardless.I think it's beneficial to follow principle of least privilege here, and to be consistent with the setup for the Istio sources.