Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: scope operator's CRD permissions to cilium endpoints/identities #800

Merged
merged 1 commit into from
Oct 1, 2024
Merged

fix: scope operator's CRD permissions to cilium endpoints/identities #800

merged 1 commit into from
Oct 1, 2024

Conversation

huntergregory
Copy link
Contributor

Description

Use minimal required RBAC. Retina Operator only needs to manage CiliumEndpoints and CiliumIdentities.

Note: create cannot be scoped to resourceNames per the k8s documentation: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#referring-to-resources

Trying to scope create resulted in CrashLoop for Retina operator with the error:

unable to create CRDs: Unable to create custom resource definition: customresourcedefinitions.apiextensions.k8s.io is forbidden: User \"system:serviceaccount:kube-system:retina-operator\" cannot create resource \"customresourcedefinitions\" in API group \"apiextensions.k8s.io\" at the cluster scope" function="github.com/Azure/retina-enterprise/operator/k8s/apis.createCRDs.func1 (workspace/operator/k8s/apis/cell.go:61)

Checklist

  • I have read the contributing documentation.
  • I signed and signed-off the commits (git commit -S -s ...). See this documentation on signing commits.
  • I have correctly attributed the author(s) of the code.
  • I have tested the changes locally.
  • I have followed the project's style guidelines.
  • I have updated the documentation, if necessary.
  • I have added tests, if applicable.

Tests

CRDs were created. Retina Operator had no errors on first install or after being manually restarted.

@huntergregory
fix: scope operator's CRD permissions to cilium endpoints/identities
db65073 
Signed-off-by: Hunter Gregory <42728408+huntergregory@users.noreply.github.com>
@huntergregory huntergregory requested a review from a team as a code owner October 1, 2024 00:45
@nddq nddq added this pull request to the merge queue Oct 1, 2024
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to failed status checks Oct 1, 2024
@nddq nddq added this pull request to the merge queue Oct 1, 2024
Merged via the queue into main with commit f2da04b Oct 1, 2024
22 checks passed
@nddq nddq deleted the huntergregory/retina-operator-rbac branch October 1, 2024 20:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nddq nddq nddq approved these changes

@alexcastilio alexcastilio Awaiting requested review from alexcastilio alexcastilio is a code owner automatically assigned from microsoft/retina

@anubhabMajumdar anubhabMajumdar Awaiting requested review from anubhabMajumdar anubhabMajumdar is a code owner automatically assigned from microsoft/retina

Assignees
No one assigned
Labels
control-plane/hubble
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@huntergregory @nddq