Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Services need fine-grained permissions #8723

Closed
erictune opened this issue May 23, 2015 · 12 comments
Closed

Services need fine-grained permissions #8723

erictune opened this issue May 23, 2015 · 12 comments
Labels
kind/design Categorizes issue or PR as related to design. priority/backlog Higher priority than priority/awaiting-more-evidence. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. sig/auth Categorizes an issue or PR as relevant to SIG Auth. sig/network Categorizes an issue or PR as relevant to SIG Network.

Comments

@erictune
Copy link
Member

We may want to let users create services, but not let them use all the possible options.

  • often we might not want a user to be allowed to pick ServiceType = NodePort because this consumes global resources.
  • possibly we might not want a user to be allowed to pick ServiceType = LoadBalancer, since this exposes services outside the cluster.
  • Possibly user-specified PortalIP is needs restriction too?

For Pods we have a proposal to make a SecurityConstraint that controls some security sensitive fields which are grouped into a SecurityContext. Does this pattern apply to service as well in some way?

Sometimes we want to let a principal create pods, but not allow them to use all the possible options on pods. One way we are looking at doing this is to group some sensitive options
@erictune
Copy link
Member Author

#8655 is about NodePort, which is one of the sensitive values.

@erictune
Copy link
Member Author

#7893 is about SecurityContextConstraints.

@lavalamp lavalamp added kind/design Categorizes issue or PR as related to design. priority/backlog Higher priority than priority/awaiting-more-evidence. team/cluster sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. labels May 23, 2015
@justinsb
Copy link
Member

Another reason for an ACL mechanism for LoadBalancer: it typically costs money (~ $20 for 5 rules on GCE, $15 each LB on AWS), and you typically can't create very many per cloud account (on AWS, the default limit is 20 per region).

@erictune erictune mentioned this issue May 26, 2015
Merged
@bgrant0607 bgrant0607 added the sig/auth Categorizes an issue or PR as relevant to SIG Auth. label May 25, 2016
@bgrant0607
Copy link
Member

cc @derekwaynecarr

@derekwaynecarr
Copy link
Member

We can quota usage of both load balancers and node ports in a namespace to
ensure that a namespace cannot consume any. I will get an example quota
soon.

On Wednesday, May 25, 2016, Brian Grant notifications@github.com wrote:

cc @derekwaynecarr https://github.com/derekwaynecarr


You are receiving this because you were mentioned.
Reply to this email directly or view it on GitHub
#8723 (comment)

@derekwaynecarr
Copy link
Member

@erictune - an example doing this with quota:

apiVersion: v1
kind: ResourceQuota
metadata:
  name: quota
spec:
  hard:
    services.nodeports: "2"
    services.loadbalancers: "2"

You can set either to 0 to prevent consumption of either.

This is new to kube 1.3 - thanks to @sdminonne

@sdminonne
Copy link
Contributor

yep, @derekwaynecarr not sure if I've to do something for release notes on #24247 and #22154

@derekwaynecarr
Copy link
Member

You should be fine. Both are labeled release note.

On Thursday, May 26, 2016, Dario Minonne notifications@github.com wrote:

yep, @derekwaynecarr https://github.com/derekwaynecarr not sure if I've
to do something for release notes on #24247
#24247 and #22154
#22154


You are receiving this because you were mentioned.
Reply to this email directly or view it on GitHub
#8723 (comment)

@sdminonne
Copy link
Contributor

thanks

@erictune
Copy link
Member Author

Quota seems good for nodePort.

For LoadBalancer, I was hoping we could express this via RBAC. Some roles can expose things to the internets, and some can't.

@thockin thockin added the sig/network Categorizes an issue or PR as relevant to SIG Network. label May 19, 2017
@smarterclayton
Copy link
Contributor

For now quota handles this pretty effectively.

@liggitt
Copy link
Member

liggitt commented Dec 13, 2017

quota and admission webhooks cover this for now

@liggitt liggitt closed this as completed Dec 13, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/design Categorizes issue or PR as related to design. priority/backlog Higher priority than priority/awaiting-more-evidence. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. sig/auth Categorizes an issue or PR as relevant to SIG Auth. sig/network Categorizes an issue or PR as relevant to SIG Network.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
9 participants
@justinsb @lavalamp @liggitt @smarterclayton @thockin @derekwaynecarr @bgrant0607 @erictune @sdminonne