Add RBAC policies for NetworkPolicy #56650
Conversation
k8s-ci-robot
added
release-note
|
@soltysh (re openshift/origin#17491) |
|
Are namespace constrained users expected to have write access to network policy? Or is that a tool for the cluster administrator to optionally grant? |
|
NetworkPolicy was specifically designed to be used by namespace admins. (They give you the power to keep other users out of your namespace, but don't give you the power to get into other users' namespaces or anything like that.) (And these policies match what we do in OpenShift.) I guess in theory a cluster admin might want to create a policy like "allow connections from pods in the magic-admin-can-connect-to-everything namespace" in each namespace and then not let namespace admins delete it. But I don't think that's much different from "in theory a cluster admin might want to create a pod/service and not let the namespace admin delete it". |
|
Naively, I would have expected a common network policy to be something like "don't let pods hit the AWS metadata service" to prevent pods from getting node credentials. That seems like something a cluster admin wouldn't want a user in a namespace to be able to get around. |
|
Does network policy not control egress as well? |
|
NetworkPolicy can control egress now, but the feature is explicitly described as being for namespace-admin use, not for cluster-admin use. Well, OK, actually it's not documented very well, but it that's how it was always discussed and how it was designed. The use case it solves is
and not
which we discussed but assumed we couldn't implement with NetworkPolicy because we were still thinking in a pre-RBAC mindset where there is no one (within the Kubernetes API) more powerful than a namespace admin. If we implement that use case later, it would be via a separate resource type, because the expectation with NetworkPolicies has always been that namespace admins have complete control over NetworkPolicies in their namespace. (Use cases from this doc.) |
|
@thockin can you confirm that I'm representing the intent of NetworkPolicy correctly? (That namespace admins are expected to have complete control over NetworkPolicies in their namespaces.) |
|
@kubernetes/sig-auth-pr-reviews @kubernetes/sig-network-pr-reviews |
k8s-ci-robot
added
sig/auth
talked with @thockin, and that was the intent (the app owner controls network policy for their app). if we want a control for the cluster-admin to lock down namespaces, that's likely to be represented as a separate resource (possibly cluster-scoped, possibly namespace-selecting, etc) |
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
/approve no-issue |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: danwinship, liggitt Associated issue requirement bypassed by: liggitt The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
k8s-ci-robot
added
the
approved
Automatic merge from submit-queue (batch tested with PRs 17549, 17785). NetworkPolicy RBAC fixes As part of the k8s 1.8 rebase, the NetworkPolicy code was changed to use networking.NetworkPolicy rather than extensions.NetworkPolicy, but the roles weren't updated to have the right permissions.. (This wasn't caught because only extended-networking-minimal gets run on PRs by default, and that only tests multitenant.) Fixes test_branch_origin_extended_networking (kubernetes/kubernetes#56650 hasn't actually merged yet.)
|
/retest Review the full test history for this PR. |
|
@danwinship: The following test failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions here. |
What this PR does / why we need it:
When using RBAC, none of the namespace-level roles currently have permission to do anything with NetworkPolicy. (Only cluster-admin does, by virtue of having permission on "*".) This fixes it so "admin" and "edit" have read/write permission, and "view" has read-only permission.
I added permission for both the extensions and networking objects, which I believe is correct as long as both of them exist?
(This would be nice to fix in 1.9, although it's not a regression. It's always been broken.)
Release note: