Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ability to grant the spicedb-operator limited Kubernetes permissions #311

Open
jgarcia-sqsp opened this issue May 15, 2024 · 1 comment
Open

Ability to grant the spicedb-operator limited Kubernetes permissions #311

jgarcia-sqsp opened this issue May 15, 2024 · 1 comment

Comments

@jgarcia-sqsp
Copy link

Context

I'm working on setting up the spicedb-operator but don't want to give it more permissions than it truly needs. I would like to withhold some of the kubernetes permissions the operator expects without it affecting its functionality. Ideally, I'd like to grant it only the fewest permissions it needs to provision and manage a spicedb cluster.

Currently, I'd like to not grant it the full ability to create or patch Role and RoleBinding resources within a cluster/namespace. However, if I try do that the operator logs a lot of warnings and it fails to provision spicedb clusters. I believe this is configured in the ensureRoleBinding function. Logs I'm seeing:

msg="requeueing after api error" err="context canceled" syncID="H2LCy" controller="spicedbclusters" obj={"name":"spicedbcluster","namespace":"namespace"}

msg="requeueing after error" err="rolebindings.rbac.authorization.k8s.io "spicedbcluster" is forbidden: User "system:serviceaccount:spicedb-operator:spicedb-operator" cannot patch resource "rolebindings" in API group "rbac.authorization.k8s.io" in the namespace "namespace"" syncID="j8aUD" controller="spicedbclusters" obj={"name":"spicedbcluster","namespace":"namespace"}

Problematic permissions that the operator currently requires:

From https://github.com/authzed/spicedb-operator/blob/main/config/rbac/role.yaml

Permissions to read/write any secret in a cluster/namespace.

- apiGroups: [""]
  resources: [secrets]
  verbs: [create, delete, get, list, patch, update, watch]

Permissions to create and/or update roles and roleBindings. Would allow the operator to change the roles granted to it.

- apiGroups: [rbac.authorization.k8s.io]
  resources: [roles]
  verbs: [create, delete, get, list, patch, update, watch]
- apiGroups: [rbac.authorization.k8s.io]
  resources: [roleBindings]
  verbs: [create, delete, get, list, patch, update, watch]

Suggested workaround/solution

Briefly discussed this issue with ecordell and the following was suggested:

  • Update the spicedb-operator to allow the user to specify the serviceaccount up front and the operator could just confirm the account has the permissions that it needs. Specific RBAC configuration the operator and spicedb clusters are granted would be up to the user. (short-term workaround)

  • Ideally, anything the operator has permission to do it would just do it, and anything it doesn't have permission to do it would warn the user about / tell the user about this in the status.
@jgarcia-sqsp jgarcia-sqsp changed the title Ability to grant the spicedb-operator Kubernetes specific permissions Ability to grant the spicedb-operator Kubernetes specific permissions on resources May 16, 2024
@jgarcia-sqsp jgarcia-sqsp changed the title Ability to grant the spicedb-operator Kubernetes specific permissions on resources Ability to grant the spicedb-operator limited Kubernetes permissions May 16, 2024
@ecordell
Copy link
Contributor

ecordell commented Jul 8, 2024

Some related discussion here too: #291 (comment)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ecordell @jgarcia-sqsp