Remove e2e-rbac-bindings. #46750
Remove e2e-rbac-bindings. #46750
Conversation
cjcullen
added
the
release-note-none
k8s-ci-robot
added
the
cncf-cla: yes
k8s-github-robot
added
the
size/L
And until kubelets get credentials that work with the node authorizer |
Isn't it needed for many of the add-ons that run as the default service account? |
| apiVersion: rbac.authorization.k8s.io/v1beta1 | ||
| kind: ClusterRole | ||
| metadata: | ||
| name: system:heapster-cluster-role |
There was a problem hiding this comment.
@deads2k thoughts on system: prefixes for roles defined in addons?
There was a problem hiding this comment.
@deads2k thoughts on system: prefixes for roles defined in addons?
I'm ok with doing it for addons which live in the kubernetes org (not kubernetes-incubator).
| labels: | ||
| kubernetes.io/cluster-service: "true" | ||
| addonmanager.kubernetes.io/mode: Reconcile | ||
| rules: |
There was a problem hiding this comment.
how does this differ from the system:heapster role? (https://github.com/kubernetes/kubernetes/blob/master/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml#L386-L406)
There was a problem hiding this comment.
It doesn't. Didn't realize that one was there. I'll drop this one and refer to the existing one.
| resources: | ||
| - pods | ||
| verbs: | ||
| - get |
There was a problem hiding this comment.
heapster only gets pods in the kube-system namespace?
There was a problem hiding this comment.
I saw the "pod_nanny" (one of heapster's containers) getting the heapster pod from the API.
There was a problem hiding this comment.
the sidecar dynamically resizes the heapster deployment, so it'll also need to do a put/patch on deployments to resize itself.
There was a problem hiding this comment.
Ya, you need write on deployments.
There was a problem hiding this comment.
the sidecar dynamically resizes the heapster deployment, so it'll also need to do a put/patch on deployments to resize itself.
This seems like a questionable power to grant to a pod. If its given the power to modify its own deployment, then a compromise of a particular pod cannot be resolved by simply deleting the pod since it has been allowed to modify its own config.
In addition, by doing it inside of the kube-system namespace, if you compromise the heapster pod, you will have compromised every deployment, rs, rc, secret, etc in the cluster because it gained the power to change its service account which gave it the power to mount any SA token in the kube-system namespace where controller SAs are located.
There was a problem hiding this comment.
This seems like a questionable power to grant to a pod
Agree, and since not all installations run the pod nanny, it shouldn't be part of the standard heapster role.
There was a problem hiding this comment.
It would be nice if we could assign service accounts to individual pods. I wonder if there's a work around.
Could we create a "heapster-nanny" role, bind it to a service account, and mount the service account's secret where SAs are usually mounted?
There was a problem hiding this comment.
All 5 of the supported CLUSTER_MONITORING setups have the pod-nanny running with heapster, and we don't create this role/binding unless one of those is selected.
I renamed that role to system:pod-nanny.
There was a problem hiding this comment.
I agree that it is not optimal, but it's better than what currently exists.
roberthbailey
added
sig/auth
k8s-github-robot
added
size/M
|
/approve |
|
/lgtm |
k8s-ci-robot
added
the
lgtm
k8s-github-robot
added
the
approved
| name: system:heapster | ||
| subjects: | ||
| - kind: ServiceAccount | ||
| name: default |
There was a problem hiding this comment.
I would have expected a heapster service account here, defined by the addon and referenced inside the deployments... it's odd for one addon to grant a role to the default service account that lots of other addons use
| name: system:pod-nanny | ||
| subjects: | ||
| - kind: ServiceAccount | ||
| name: default |
There was a problem hiding this comment.
same thing, heapster service account here
|
definitely needs a release note, action required. I am certain there are things deploying to GCE that assume the default service account in the kube-system namespace is a cluster admin. The release note should indicate how to grant that permission on a new cluster if it is desired. |
| # the system:serviceaccount:kube-system:default identity. We need to subdivide | ||
| # those service accounts, figure out which ones we're going to make bootstrap roles for | ||
| # and bind those particular roles in the addon yaml itself. This just gets us started | ||
| apiVersion: rbac.authorization.k8s.io/v1beta1 |
There was a problem hiding this comment.
does removing this mean the add-on manager will delete the existing binding on an upgrade? we should not do that automatically. what do we need to do to avoid binding to the default service account in a new cluster, but avoid deleting the existing binding on an upgrade?
There was a problem hiding this comment.
We could create a binding that does nothing, and set it as an EnsureExists addon. New clusters would get the toothless policy created, but existing clusters would see that something by that name already exists. It does mean that we have a binding called "todo-remove-grabbag-cluster-admin" forever...
There was a problem hiding this comment.
tightening permissions on unknown workloads on upgrade isn't something we should do lightly. I'd take an ugly toothless binding for a release or two. Can release note it now, omit it in new clusters, and remove the stub in a couple releases.
There was a problem hiding this comment.
Creating the toothless binding would be the easiest for now, but I don't see a great path forward for removing it (without re-working how the addon manager works, which wouldn't be a bad thing, but...). I could have a cluster that I originally created at 1.6, and I've kept along with upgrades and now at 1.12 we remove the grabbag-binding, and it breaks me. Any thoughts? I know you aren't a huge fan of the addon manager in general...
There was a problem hiding this comment.
Bounced this around w/ @roberthbailey and @Q-Lee. I'm starting to lean towards just blowing away this binding, and including instructions in the release note on how to get it back if you really were doing something weird inside your kube-system namespace that needed it.
liggitt
added
the
do-not-merge
|
marking do-not-merge pending the question about upgrade behavior |
| @@ -1126,16 +1126,14 @@ function start-kube-addons { | |||
| local -r src_dir="${KUBE_HOME}/kube-manifests/kubernetes/gci-trusty" | |||
| local -r dst_dir="/etc/kubernetes/addons" | |||
|
|
|||
| # prep the additional bindings that are particular to e2e users and groups | |||
| setup-addon-manifests "addons" "e2e-rbac-bindings" | |||
There was a problem hiding this comment.
does this script set up the rbac addon which now contains the replacement kubelet binding?
cjcullen
added
the
release-note-action-required
cjcullen
removed
the
release-note-none
k8s-github-robot
added
size/L
|
I would have preferred this occur at the beginning of a release cycle, but I'll defer to the owners of the GCE/GKE deployments. At the very least, we should:
@zmerlynn / @roberthbailey feel free to remove the hold when those are done to your satisfaction |
Move kubelet binding to the rbac folder.
|
Rebased and pushed to get an updated set of e2e runs after the code-freeze rush. |
|
Also added instructions on how to recreate the binding to the release notes. |
|
@roberthbailey |
|
/retest |
| @@ -1481,10 +1481,6 @@ function start-kube-addons { | |||
| local -r src_dir="${KUBE_HOME}/kube-manifests/kubernetes/gci-trusty" | |||
| local -r dst_dir="/etc/kubernetes/addons" | |||
|
|
|||
| # TODO(mikedanese): only enable these in e2e | |||
| # prep the additional bindings that are particular to e2e users and groups | |||
| setup-addon-manifests "addons" "e2e-rbac-bindings" | |||
There was a problem hiding this comment.
should this line be
setup-addon-manifests "addons" "rbac"
as above?
There was a problem hiding this comment.
Nevermind, it was already in this file.
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: cjcullen, roberthbailey Associated issue: 39990 The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
|
@liggitt - are you comfortable with the upgrade story now? If so, we can remove the do-not-merge label. |
|
yes, I'll defer to the GCE/GKE deployment owners |
liggitt
removed
the
do-not-merge
|
/retest |
|
@cjcullen: The following test failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
/retest |
|
Automatic merge from submit-queue |
Replace todo-grabbag binding w/ more specific heapster roles/bindings.
Move kubelet binding.
What this PR does / why we need it:
The "e2e-rbac-bindings" held 2 leftovers from the 1.6 RBAC rollout process:
Which issue this PR fixes: Addresses part of #39990
Release Note: