Skip to content

Commit

Permalink
Tighten RBAC
Browse files Browse the repository at this point in the history 
As the user's token is used to provision things e.g. phyiscal networks,
this presents a very real danger of DoS sttacks that exhaust all
available VLANs for example.  This simplifies RBAC so the user is only
allowed to operate on kubernetes clusters, and thus cannot have direct
low level access to the region service, they must go via a higher order
abstraction.  This has the knock on effect of making quota management a
lot easier in the future, and acts as precedent for the compute service
so the same "mistakes" (actually, it's just natural evolution) from
occurring.
  • Loading branch information
@spjmurray
spjmurray committed Nov 5, 2024
1 parent a251ab4 commit 6bb4647
Show file tree
Hide file tree
Showing 15 changed files with 715 additions and 157 deletions.
4 changes: 2 additions & 2 deletions charts/kubernetes/Chart.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,8 +4,8 @@ description: A Helm chart for deploying Unikorn Kubernetes Service

type: application

version: v0.2.45
appVersion: v0.2.45
version: v0.2.46
appVersion: v0.2.46

icon: https://raw.githubusercontent.com/unikorn-cloud/assets/main/images/logos/dark-on-light/icon.png

Expand Down
2 changes: 2 additions & 0 deletions charts/kubernetes/templates/server/deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,8 @@ spec:
{{- include "unikorn.otlp.flags" . | nindent 8 }}
{{- include "unikorn.identity.flags" . | nindent 8 }}
{{- include "unikorn.region.flags" . | nindent 8 }}
- --client-certificate-namespace={{ .Release.Namespace }}
- --client-certificate-name=unikorn-kubernetes-client-certificate
ports:
- name: http
containerPort: 6080
Expand Down
4 changes: 2 additions & 2 deletions go.mod
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,8 +13,8 @@ require (
github.com/prometheus/client_golang v1.20.5
github.com/spf13/pflag v1.0.5
github.com/unikorn-cloud/core v0.1.79
github.com/unikorn-cloud/identity v0.2.42
github.com/unikorn-cloud/region v0.1.44
github.com/unikorn-cloud/identity v0.2.44
github.com/unikorn-cloud/region v0.1.45
go.opentelemetry.io/otel v1.31.0
go.opentelemetry.io/otel/sdk v1.31.0
gopkg.in/ini.v1 v1.67.0
Expand Down
8 changes: 4 additions & 4 deletions go.sum
View file
Original file line number Diff line number Diff line change
Expand Up @@ -177,10 +177,10 @@ github.com/ugorji/go/codec v1.2.12 h1:9LC83zGrHhuUA9l16C9AHXAqEV/2wBQ4nkvumAE65E
github.com/ugorji/go/codec v1.2.12/go.mod h1:UNopzCgEMSXjBc6AOMqYvWC1ktqTAfzJZUZgYf6w6lg=
github.com/unikorn-cloud/core v0.1.79 h1:fdIUG7R2Sa2wBY+x+JLhCzQYuGFQqCf7PS/lB7u1Dzg=
github.com/unikorn-cloud/core v0.1.79/go.mod h1:wEKzCwAnIyTbo27l++Wl+gK95TAxMsFS3y3jbFB03aw=
github.com/unikorn-cloud/identity v0.2.42 h1:9amEcydDq23RZYO4rTtxOhVgw/BH1mdXQgq0fWT+RM0=
github.com/unikorn-cloud/identity v0.2.42/go.mod h1:JMbS6iTYzt0OVt5AkqZys3WVnpLabGvUl8kGWcxzFZI=
github.com/unikorn-cloud/region v0.1.44 h1:GJnUHFBkxnOAssHd7NBXY9Zpva6lB5ozKPesHnORVzo=
github.com/unikorn-cloud/region v0.1.44/go.mod h1:N5wS4Js49JR5WARnRwzeVXRL//M+WVKZBAiqQVA7Yao=
github.com/unikorn-cloud/identity v0.2.44 h1:tXV/qsJ77Dkx8ba8gnBFXHWUgBNsJ2oo/5TjnyhkH7U=
github.com/unikorn-cloud/identity v0.2.44/go.mod h1:JMbS6iTYzt0OVt5AkqZys3WVnpLabGvUl8kGWcxzFZI=
github.com/unikorn-cloud/region v0.1.45 h1:qpUwB+s/SEZNHZqwHTYovtWUVdJB2AKEl06NbiIwnOw=
github.com/unikorn-cloud/region v0.1.45/go.mod h1:QqWLEfB8bNRIUAU7h5JjkQsjyJdTV+2ltDYksRjKMds=
github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
github.com/xlab/treeprint v1.2.0 h1:HzHnuAF1plUN2zGlAFHbSQP2qJ0ZAD3XF5XD7OesXRQ=
Expand Down
281 changes: 281 additions & 0 deletions pkg/openapi/client.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions pkg/openapi/config.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
package: generated
import-mapping:
https://raw.githubusercontent.com/unikorn-cloud/core/main/pkg/openapi/common.spec.yaml: github.com/unikorn-cloud/core/pkg/openapi
https://raw.githubusercontent.com/unikorn-cloud/region/main/pkg/openapi/server.spec.yaml: github.com/unikorn-cloud/region/pkg/openapi
Loading

0 comments on commit 6bb4647

Please sign in to comment.