RBAC manifest creation for Hosted Cluster admin personas #1014
Conversation
introduce RBAC artifact generation for hypershift admin personas / services those artifacts are generated when the `--enable-admin-rbac-generation` flag is provided during `hypershift install` persona: hypershift-client used by a client leveraging hypershift as a service to create hosted clusters * hypershift-client ClusterRole full permissions on the hostedcluster and nodepool CRs * hypershift-client ServiceAccount * hypershift-client ClusterRoleBinding binds the hypershift-client ClusterRole to hypershift-client SA and Group Ref the groups itself must be provided by other means persona: hypershift-reader used by admins to investigate hosted clusters and the hypershift operator. * hypershift-reader ClusterRole same permission subjects as the hypershift-operator ClusterRole but restricted to get, list, watch. access to secrets is not granted * hypershift-reader ClusterRoleBinding binds the hypershift-reader ClusterRole to a Group called hypershift-readers the group itself must be provided by other means Refs: * https://issues.redhat.com/browse/HOSTEDCP-306 * https://issues.redhat.com/browse/APPSRE-4335 Signed-off-by: Gerd Oberlechner <goberlec@redhat.com>
|
✔️ Deploy Preview for hypershift-docs ready! 🔨 Explore the source changes: 2d8749f 🔍 Inspect the deploy log: https://app.netlify.com/sites/hypershift-docs/deploys/620a80dd295dab000815872c 😎 Browse the preview: https://deploy-preview-1014--hypershift-docs.netlify.app |
| type HyperShiftReaderClusterRole struct{} | ||
|
|
||
| func (o HyperShiftReaderClusterRole) Build() *rbacv1.ClusterRole { | ||
| clusterOperatorRole := HyperShiftOperatorClusterRole{}.Build() |
There was a problem hiding this comment.
If we change HyperShiftOperatorClusterRole we won't necessarily know that this is impacted. My preference would be to explicitly include the RBAC rules here, even if it means copy-pasting code.
There was a problem hiding this comment.
addressed in 99eb9c8
| clientRoleBinding := assets.HyperShiftClientClusterRoleBinding{ | ||
| ClusterRole: clientClusterRole, | ||
| ServiceAccount: clientServiceAccount, | ||
| GroupName: "hypershift-client", |
There was a problem hiding this comment.
I thought we were going to include these groups in the resources as well, no?
There was a problem hiding this comment.
maybe a misunderstanding on my end. i had the impression that it was the general sentiment to keep non-k8s-native resources limited when possible. AppSRE can deal with group creation/maintenance, because OSD/ROSA dedicated-admin allows that.
instead of copy+modify the hypershift-operator cluster role, list the permissions required for the hypershift-readers cluster role explicitely Signed-off-by: Gerd Oberlechner <goberlec@redhat.com>
|
/label tide/merge-method-squash |
openshift-ci
bot
added
the
tide/merge-method-squash
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: csrwng, geoberle The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
|
/retest |
1 similar comment
|
/retest |
|
@geoberle: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
What this PR does / why we need it:
introduce RBAC artifact generation for hypershift admin personas / services
those artifacts are generated when the
--enable-admin-rbac-generationflagis provided during
hypershift installpersona: hypershift-client
used by a client leveraging hypershift as a service to create hosted clusters
full permissions on the hostedcluster and nodepool CRs
binds the hypershift-client ClusterRole to hypershift-client SA and Group Ref
the groups itself must be provided by other means
persona: hypershift-readers
used by admins to investigate hosted clusters and the hypershift operator.
same permission subjects as the hypershift-operator ClusterRole but restricted
to get, list, watch. access to secrets is not granted
binds the hypershift-readers ClusterRole to a Group called hypershift-readers
the group itself must be provided by other means
fixes HOSTEDCP-306
fixes APPSRE-4335
Checklist
Signed-off-by: Gerd Oberlechner goberlec@redhat.com