Added proper RBAC rules to Prow #8288
Conversation
k8s-ci-robot
added
cncf-cla: yes
|
/ok-to-test |
k8s-ci-robot
removed
the
needs-ok-to-test
| @@ -94,6 +94,7 @@ spec: | |||
| app: hook | |||
| spec: | |||
| terminationGracePeriodSeconds: 180 | |||
| serviceAccountName: "hook" | |||
There was a problem hiding this comment.
You'll need to add the service accounts to the *_deployment.yaml files as well.
There was a problem hiding this comment.
Since our deployments won't be using RBAC we can't actually add the service account since we won't define it. Maybe add it to the deployment files, but comment it out with an explanation?
There was a problem hiding this comment.
Addressed in latest commit
There was a problem hiding this comment.
It doesn't appear to be?
I still see non-commented lines like serviceAccountName: "plank" in the deployment files.
There was a problem hiding this comment.
discussed this offline, definitely comment out with an explanation, someday we will be on RBAC and need to uncomment 🙃 (and also add these to the rules_k8s deployment)
There was a problem hiding this comment.
I added service accounts to the deployments and purposefully didnt comment them out, thought Ben's comment below was saying these wouldnt be deployed to prow.k8s.io.
There was a problem hiding this comment.
Latest commit contains commented out service accounts in deployment files
assuming you mean prow.k8s.io, nothing here should actually get deployed to it AFAICT. |
Are we just adding it for completeness and other deployments then? |
|
This is for the getting started guide? We have separate config for k8s.io
…On Thu, Jun 7, 2018, 2:15 PM Cole Wagner ***@***.***> wrote:
nothing here should actually get deployed to it AFAICT.
Are we just adding it for completeness and other deployments then?
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#8288 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AA4BqzJgEqeO9S8m3TjjlZve-v-OPrGKks5t6ZgCgaJpZM4Ue1P5>
.
|
It doesn't look like this is all meant for the starter yaml. |
|
edit: ah, in this pr starter.yaml also gains RBAC in any case, the bazel deployment at least is not applying these other files, and someday we will probably need the same rules outside of starter. I don't think they are harmful. |
|
/assign @stevekuznetsov @BenTheElder @cjwagner |
|
I decided to keep a copy of the RBAC deployments separate from starter.yaml for people who may want to deploy their own versions of specific services without having to apply starter.yaml for RBAC. |
|
@paulangton did you have to edit any of the RBAC rules? Would be good to review the diff between what we have deployed and what you are proposing here. If there was no necessary diff, this LGTM |
|
@stevekuznetsov I had to edit all of the RBAC rules. The ones in the Openshift repo were wrapped in Openshift Example: Diff between Openshift (left) and this PR (right): |
paulangton
force-pushed
the
proper-prow-rbac
branch
from
9e1a9cf
to
87345b4
Compare
|
OK, you could also use List objects to keep them nicely in one document per file. If the changes were:
Then these LGTM |
|
@stevekuznetsov Unless there is some notable advantage I am not seeing to using a List type, I am going to leave it as is. K8s docs on general configuration as well as RBAC specify config files containing multiple objects separated by the triple hyphen instead of combined in a List type. |
paulangton
force-pushed
the
proper-prow-rbac
branch
from
87345b4
to
711babc
Compare
|
Sure, fine either way. Please add |
paulangton
force-pushed
the
proper-prow-rbac
branch
from
711babc
to
60e3057
Compare
|
|
|
@stevekuznetsov @cjwagner lgty? |
prow/cluster/tide_deployment.yaml
Outdated
| @@ -25,6 +25,7 @@ spec: | |||
| labels: | |||
| app: tide | |||
| spec: | |||
| serviceAccountName: "tide" | |||
There was a problem hiding this comment.
This should be commented as well.
There was a problem hiding this comment.
Good catch, fixed in latest
removed permissive policy added service account to deployments, removed tide rbac from starter.yaml commented out serviceaccounts for use with RBAC added get to hook rbac fixed tide deployment
paulangton
force-pushed
the
proper-prow-rbac
branch
from
60e3057
to
82d585b
Compare
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: cjwagner, paulangton The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
| kind: ClusterRole | ||
| apiVersion: rbac.authorization.k8s.io/v1beta1 | ||
| metadata: | ||
| name: "deck-oauth" |
There was a problem hiding this comment.
You don't need this here; we use it in openshift because we run a deck instance for our private repos behind an oauth proxy. Unfortunately, the oauth proxy works only on openshift today :/
| @@ -25,6 +25,7 @@ spec: | |||
| labels: | |||
| app: horologium | |||
| spec: | |||
| # serviceAccountName: "horologium" # Uncomment for use with RBAC | |||
There was a problem hiding this comment.
I think you should be able to use this service account regardless of running with rbac or not so it may be worth to uncomment upfront and move the service accounts alongside the deployment manifests.
It would be nice to include the jenkins operator rbac profile too. I don't know what's the best place to put that though, maybe just add it in the source code? |
Integrated RBAC rules from Openshift as per @stevekuznetsov 's suggestion. Rules were added en masse to starter.yaml, but also duplicated in separate deployment configs. Should fix #7950 and clean up leftovers from #8088