Skip to content

WIP: rbac: controllers: narrow down permissions #1804

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

WIP: rbac: controllers: narrow down permissions #1804

wants to merge 4 commits into from

Conversation

ffromani
Copy link
Member

narrow down RBAC permissions in two ways:

  1. (minor) reduce verb requirements; this is still ongoing and the changes in this area are just initial. We should avoid asterisk permission and always spell them out even if it's the full list.
  2. (major) reduce scoping. Move from cluster-role to roles as much as possible. This requires also cache tunings to actually query the target namespace.

The PR is reviewable but should be merged post the 4.20 cutoff, and we need to careful test it works with different namespaces - I'm testing using the default numaresources namespace. The expectation is it does, but we need to verify both the component contracts and the actual behavior.

@ffromani
controllers: make sure to watch support resources
b137253 
Add controller watches for the resources required
for network policies and metric support

Signed-off-by: Francesco Romani <fromani@redhat.com>
@ffromani
rbac review: move rte RBACs into rte
9ca5a72 
Instead of conflating all the RBAC annotations in the controller,
which was a historical artifact, we should either centralize them,
or do the opposite and split them and move close to the user.
The easiest path is the second one as the first one requires a deeper
redesign, so this PR implements it.

Signed-off-by: Francesco Romani <fromani@redhat.com>
@ffromani
rbac review: narrow down core CRDs
752c458 
Narrow down the permissions the controllers need to
have against the core resources.
Basically the controllers need read-only access to the spec
and own the status subresource, so fix the RBAC rules accordingly.

Signed-off-by: Francesco Romani <fromani@redhat.com>
@ffromani
Copy link
Member Author

/hold

@openshift-ci openshift-ci bot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. labels Aug 13, 2025
@openshift-ci openshift-ci bot requested review from shajmakh and swatisehgal August 13, 2025 13:14
@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Aug 13, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ffromani

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Aug 13, 2025
@ffromani
rbac review: narrow down scope
03f1798 
reduce the RBAC permissions from unnecessariy cluster scope
to namespace scope. The operator owns only the resources
in its own namespace, not in the cluster.
This tightens security.

Signed-off-by: Francesco Romani <fromani@redhat.com>
@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Aug 13, 2025

@ffromani: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/ci-e2e-install-hypershift 03f1798 link true /test ci-e2e-install-hypershift

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@shajmakh shajmakh Awaiting requested review from shajmakh

@swatisehgal swatisehgal Awaiting requested review from swatisehgal

Assignees
No one assigned
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@ffromani