add clusterrole aggregation doc #1219
Conversation
k8s-ci-robot
added
size/M
deads2k
force-pushed
the
role-aggregation
branch
from
e6632a3
to
9edd64e
Compare
| # Cluster Role Aggregation | ||
| In order to support easy RBAC integration for CustomResources and Extension | ||
| APIServers, we need to have a way for API extenders to add permissions to the | ||
| "normal" roles for admin, edit, and view. |
There was a problem hiding this comment.
This isn't explicitly stated, but it seems to be implied that we see admin, edit, and view being switched to aggregated rules so admins can register their permissions on the default ClusterRoles?
There was a problem hiding this comment.
This isn't explicitly stated, but it seems to be implied that we see admin, edit, and view being switched to aggregated rules so admins can register their permissions on the default ClusterRoles?
Yes. The open pull demonstrates a simple way to transition them.
| subject to overwriting at any point. | ||
|
|
||
| `aggregationRule` needs to be protected from escalation. The simplest way to | ||
| do this is to restrict it to users with verb=`*`, apiGroups=`*`, resources=`*`. We |
There was a problem hiding this comment.
How will this work with the bind verb the GKE and other webhook authorizers use?
There was a problem hiding this comment.
Those govern writes of rolebindings, not roles. There's an outstanding enhancement issue for cross authorizer escalation checks for role mutation: kubernetes/kubernetes#43409
|
I like this! cc @mattmoyer @jbeda @timothysc |
| type AggregationRule struct { | ||
| // Selector holds a list of selectors which will be used to find ClusterRoles and create the rules. | ||
| // If any of the selectors match, then the ClusterRole's permissions will be added | ||
| Selectors []metav1.LabelSelector |
There was a problem hiding this comment.
clusterRoleSelectors? all other selector fields in the API are either selector (and select pods) or are <type>Selector (nodeSelector, namespaceSelector, podSelector)
There was a problem hiding this comment.
clusterRoleSelectors? all other selector fields in the API are either selector (and select pods) or are Selector (nodeSelector, namespaceSelector, podSelector)
No preference.
| metadata: | ||
| name: etcd-operator-admin | ||
| label: | ||
| rbac.authorization.k8s.io/aggregate-to-admin: true |
There was a problem hiding this comment.
rbac.authorization.k8s.io/aggregate-to-clusterrole-name: admin to match the example above?
There was a problem hiding this comment.
rbac.authorization.k8s.io/aggregate-to-clusterrole-name: admin to match the example above?
Turns out that doing it this way (name in the key), allows the role to try to aggregate itself to multiple cluster roles. The other way does not.
There was a problem hiding this comment.
true. update the other one, then.
| // AggregationRule is an optional field that describes how to build the Rules for this ClusterRole. | ||
| // If AggregationRule is set, then the Rules are controller managed and direct changes to Rules will be | ||
| // stomped by the controller. | ||
| AggregationRule *AggregationRule |
There was a problem hiding this comment.
what would reconciliation for this field look like? that will be important in transitioning the existing admin/edit/view roles to aggregated roles
what would we do in the following cases:
- persisted role has
null, desired role has aggregation rule (meaning setting an aggregation rule could tighten permissions in rules, which we avoid doing automatically) - persisted role has aggregation rule, desired role has
null(meaning any rules we added to would get stomped) - persisted role has aggregation rule, desired role has aggregation rule with different selectors
There was a problem hiding this comment.
what would reconciliation for this field look like? that will be important in transitioning the existing admin/edit/view roles to aggregated roles
I replaced as a unit: https://github.com/kubernetes/kubernetes/pull/54005/files#diff-769f1c7c52943946bdc1ec3d7c9ec5d2R205 . It could tighten. I could write a one-time migration for those three using the reconcile post-start hook if you're particularly concerned. I think its unlikely that many people will have problems going forward.
There was a problem hiding this comment.
what would reconciliation for this field look like? that will be important in transitioning the existing admin/edit/view roles to aggregated roles
I replaced as a unit: https://github.com/kubernetes/kubernetes/pull/54005/files#diff-769f1c7c52943946bdc1ec3d7c9ec5d2R205 . It could tighten. I could write a one-time migration for those three using the reconcile post-start hook if you're particularly concerned. I think its unlikely that many people will have problems going forward.
I have updated this so that selectors which are not present in the actual get added. On a tightening reconcile, the extra selectors are removed.
|
Thanks for this, David, seems super useful. |
|
LGTM, just need to update the label/selector in the examples to match |
|
@ericchiang: GitHub didn't allow me to request PR reviews from the following users: CRD, to, default, lets, us, cluster, this, tie, permissions, roles, FYI. Note that only kubernetes members can review this PR, and authors cannot review their own PRs. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
deads2k
force-pushed
the
role-aggregation
branch
from
9edd64e
to
1180709
Compare
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
/test all [submit-queue is verifying that this PR is safe to merge] |
1 similar comment
|
/test all [submit-queue is verifying that this PR is safe to merge] |
|
Automatic merge from submit-queue. |
Automatic merge from submit-queue (batch tested with PRs 54005, 55127, 53850, 55486, 53440). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. aggregate cluster roles xref kubernetes/community#1219 kubernetes/enhancements#502 This is a pull with API types, a controller, and a demonstration of how to move admin, edit, and view. Once we agree on the shape, I'll I added ```yaml aggregationRule: clusterRoleSelectors: - matchLabels: rbac.authorization.k8s.io/aggregate-to-admin: true ``` to the `ClusterRole`. A controller then goes and gathers all the matching ClusterRoles and sets the `rules` to the union of matching cluster roles. @kubernetes/sig-auth-pr-reviews ```release-note RBAC ClusterRoles can now select other roles to aggregate ```
Automatic merge from submit-queue (batch tested with PRs 54005, 55127, 53850, 55486, 53440). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. aggregate cluster roles xref kubernetes/community#1219 kubernetes/enhancements#502 This is a pull with API types, a controller, and a demonstration of how to move admin, edit, and view. Once we agree on the shape, I'll I added ```yaml aggregationRule: clusterRoleSelectors: - matchLabels: rbac.authorization.k8s.io/aggregate-to-admin: true ``` to the `ClusterRole`. A controller then goes and gathers all the matching ClusterRoles and sets the `rules` to the union of matching cluster roles. @kubernetes/sig-auth-pr-reviews ```release-note RBAC ClusterRoles can now select other roles to aggregate ``` Kubernetes-commit: f575c55589db84ef4d392823120f0238fd19ad93
Automatic merge from submit-queue (batch tested with PRs 54005, 55127, 53850, 55486, 53440). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. aggregate cluster roles xref kubernetes/community#1219 kubernetes/enhancements#502 This is a pull with API types, a controller, and a demonstration of how to move admin, edit, and view. Once we agree on the shape, I'll I added ```yaml aggregationRule: clusterRoleSelectors: - matchLabels: rbac.authorization.k8s.io/aggregate-to-admin: true ``` to the `ClusterRole`. A controller then goes and gathers all the matching ClusterRoles and sets the `rules` to the union of matching cluster roles. @kubernetes/sig-auth-pr-reviews ```release-note RBAC ClusterRoles can now select other roles to aggregate ``` Kubernetes-commit: f575c55589db84ef4d392823120f0238fd19ad93
Automatic merge from submit-queue (batch tested with PRs 54005, 55127, 53850, 55486, 53440). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. aggregate cluster roles xref kubernetes/community#1219 kubernetes/enhancements#502 This is a pull with API types, a controller, and a demonstration of how to move admin, edit, and view. Once we agree on the shape, I'll I added ```yaml aggregationRule: clusterRoleSelectors: - matchLabels: rbac.authorization.k8s.io/aggregate-to-admin: true ``` to the `ClusterRole`. A controller then goes and gathers all the matching ClusterRoles and sets the `rules` to the union of matching cluster roles. @kubernetes/sig-auth-pr-reviews ```release-note RBAC ClusterRoles can now select other roles to aggregate ``` Kubernetes-commit: f575c55589db84ef4d392823120f0238fd19ad93
Automatic merge from submit-queue (batch tested with PRs 54005, 55127, 53850, 55486, 53440). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. aggregate cluster roles xref kubernetes/community#1219 kubernetes/enhancements#502 This is a pull with API types, a controller, and a demonstration of how to move admin, edit, and view. Once we agree on the shape, I'll I added ```yaml aggregationRule: clusterRoleSelectors: - matchLabels: rbac.authorization.k8s.io/aggregate-to-admin: true ``` to the `ClusterRole`. A controller then goes and gathers all the matching ClusterRoles and sets the `rules` to the union of matching cluster roles. @kubernetes/sig-auth-pr-reviews ```release-note RBAC ClusterRoles can now select other roles to aggregate ``` Kubernetes-commit: f575c55589db84ef4d392823120f0238fd19ad93
Automatic merge from submit-queue (batch tested with PRs 54005, 55127, 53850, 55486, 53440). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. aggregate cluster roles xref kubernetes/community#1219 kubernetes/enhancements#502 This is a pull with API types, a controller, and a demonstration of how to move admin, edit, and view. Once we agree on the shape, I'll I added ```yaml aggregationRule: clusterRoleSelectors: - matchLabels: rbac.authorization.k8s.io/aggregate-to-admin: true ``` to the `ClusterRole`. A controller then goes and gathers all the matching ClusterRoles and sets the `rules` to the union of matching cluster roles. @kubernetes/sig-auth-pr-reviews ```release-note RBAC ClusterRoles can now select other roles to aggregate ``` Kubernetes-commit: f575c55589db84ef4d392823120f0238fd19ad93
Automatic merge from submit-queue (batch tested with PRs 54005, 55127, 53850, 55486, 53440). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. aggregate cluster roles xref kubernetes/community#1219 kubernetes/enhancements#502 This is a pull with API types, a controller, and a demonstration of how to move admin, edit, and view. Once we agree on the shape, I'll I added ```yaml aggregationRule: clusterRoleSelectors: - matchLabels: rbac.authorization.k8s.io/aggregate-to-admin: true ``` to the `ClusterRole`. A controller then goes and gathers all the matching ClusterRoles and sets the `rules` to the union of matching cluster roles. @kubernetes/sig-auth-pr-reviews ```release-note RBAC ClusterRoles can now select other roles to aggregate ``` Kubernetes-commit: f575c55589db84ef4d392823120f0238fd19ad93
Automatic merge from submit-queue (batch tested with PRs 54005, 55127, 53850, 55486, 53440). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. aggregate cluster roles xref kubernetes/community#1219 kubernetes/enhancements#502 This is a pull with API types, a controller, and a demonstration of how to move admin, edit, and view. Once we agree on the shape, I'll I added ```yaml aggregationRule: clusterRoleSelectors: - matchLabels: rbac.authorization.k8s.io/aggregate-to-admin: true ``` to the `ClusterRole`. A controller then goes and gathers all the matching ClusterRoles and sets the `rules` to the union of matching cluster roles. @kubernetes/sig-auth-pr-reviews ```release-note RBAC ClusterRoles can now select other roles to aggregate ``` Kubernetes-commit: f575c55589db84ef4d392823120f0238fd19ad93
Automatic merge from submit-queue (batch tested with PRs 54005, 55127, 53850, 55486, 53440). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. aggregate cluster roles xref kubernetes/community#1219 kubernetes/enhancements#502 This is a pull with API types, a controller, and a demonstration of how to move admin, edit, and view. Once we agree on the shape, I'll I added ```yaml aggregationRule: clusterRoleSelectors: - matchLabels: rbac.authorization.k8s.io/aggregate-to-admin: true ``` to the `ClusterRole`. A controller then goes and gathers all the matching ClusterRoles and sets the `rules` to the union of matching cluster roles. @kubernetes/sig-auth-pr-reviews ```release-note RBAC ClusterRoles can now select other roles to aggregate ``` Kubernetes-commit: f575c55589db84ef4d392823120f0238fd19ad93
In order to support easy RBAC integration for CustomResources and Extension
APIServers, we need to have a way for API extenders to add permissions to the
"normal" roles for admin, edit, and view.
A doc form of kubernetes/kubernetes#54005
@kubernetes/sig-auth-feature-requests