Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Minimize manual creation of manifest files at deployment #50

Merged
merged 5 commits into from
Nov 16, 2021
Merged

Minimize manual creation of manifest files at deployment #50

merged 5 commits into from
Nov 16, 2021

Conversation

rustycl0ck
Copy link
Contributor

What this PR does / Why we need it

  • ClusterRole for events: Provide default access to the controller for publishing events so that a separate Role and RoleBinding does not need to be created separately at the deployment time by the user (through steps provided in README). The current additional step of creating these two resources adds more complexity to the deployment process and does not provide any additional benefits in terms of security.

    I think that having default permissions to publish events should be fine because it does not grant access to any confidential data like secrets etc.

  • ClusterRole for secrets: The current process for the user is to create a secret, and then additionally create a Role/RoleBinding pair for providing access to controller for that secret. The controller will need access to the secrets if some of the users choose to use the GCP-service-account key for access. So, if we provide the controller read access to k8s secrets, it will simplify the deployment process for the user, because they only have to create the secret and the SpannerAutoscaler CRD then. No more additional custom written yaml files.

    The downside is that the spanner-autoscaler-controller will have read access to all the secrets. But I think this permission can not be misused by the spanner-autoscaler-controller as is visible from the source code that it will try to read only the secret name which is provided in the SpannerAutoscaler CRD. And more advanced users will anyways create their own manifest files for deployment, and can remove access toe secrets in the clusterrole.

    I think it would be better to keep the default read access to secrets (for majority of the users). And we can add a note about how advanced users can choose to not provide this access by modifying the default RBAC files. Let me know what you think about this.

@rustycl0ck
Add clusterrole for events access
54c0187 
Signed-off-by: rustyclock <rustyclock@protonmail.com>
@rustycl0ck
Add clusterrole for secrets access
22298ee 
Signed-off-by: rustyclock <rustyclock@protonmail.com>
@rustycl0ck
Option to deny cluster-wide secret access
a628de7 
Signed-off-by: rustyclock <rustyclock@protonmail.com>
@github-actions github-actions bot added size/L and removed size/M labels Nov 5, 2021
@rustycl0ck rustycl0ck marked this pull request as ready for review November 5, 2021 05:02
@rustycl0ck rustycl0ck requested a review from a team as a code owner November 5, 2021 05:02
tkuchiki
tkuchiki reviewed Nov 8, 2021
View reviewed changes
config/rbac/role.yaml
resources:
- secrets
verbs:
- get
Copy link
Contributor

@tkuchiki tkuchiki Nov 8, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- get
- get
resourceNames:
- spanner-autoscaler-service-account

The downside is that the spanner-autoscaler-controller will have read access to all the secrets.

I have a feeling this will solve the problem. Is there any problem?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a good idea. I have now restricted the default access only the secrets named spanner-autoscaler-gcp-sa.

Thanks for the suggestion!

@rustycl0ck
Provide default read access for one secret
9d1b0ab 
* Provide default read access to secret named `spanner-autoscaler-gcp-sa`
* Update documentation with the correct secret name and information

Signed-off-by: rustyclock <rustyclock@protonmail.com>
@rustycl0ck
Remove unused kind targets and resources
a556f5f 
Signed-off-by: rustyclock <rustyclock@protonmail.com>
tkuchiki
tkuchiki approved these changes Nov 15, 2021
View reviewed changes
Copy link
Contributor

@tkuchiki tkuchiki left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@tkuchiki tkuchiki merged commit 9aaf90e into mercari:master Nov 16, 2021
@rustycl0ck rustycl0ck deleted the rbac-optimize branch January 28, 2022 04:23
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@tkuchiki tkuchiki tkuchiki approved these changes

Assignees
No one assigned
Labels
size/L
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@rustycl0ck @tkuchiki