-
Notifications
You must be signed in to change notification settings - Fork 2.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Added proper RBAC rules to Prow #8288
Conversation
/ok-to-test |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We use legacy authorization on this cluster. Will that conflict with RBAC?
@@ -94,6 +94,7 @@ spec: | |||
app: hook | |||
spec: | |||
terminationGracePeriodSeconds: 180 | |||
serviceAccountName: "hook" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You'll need to add the service accounts to the *_deployment.yaml
files as well.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since our deployments won't be using RBAC we can't actually add the service account since we won't define it. Maybe add it to the deployment files, but comment it out with an explanation?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Addressed in latest commit
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It doesn't appear to be?
I still see non-commented lines like serviceAccountName: "plank"
in the deployment files.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
discussed this offline, definitely comment out with an explanation, someday we will be on RBAC and need to uncomment 🙃 (and also add these to the rules_k8s deployment)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I added service accounts to the deployments and purposefully didnt comment them out, thought Ben's comment below was saying these wouldnt be deployed to prow.k8s.io.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Latest commit contains commented out service accounts in deployment files
assuming you mean prow.k8s.io, nothing here should actually get deployed to it AFAICT. |
Are we just adding it for completeness and other deployments then? |
This is for the getting started guide? We have separate config for k8s.io
…On Thu, Jun 7, 2018, 2:15 PM Cole Wagner ***@***.***> wrote:
nothing here should actually get deployed to it AFAICT.
Are we just adding it for completeness and other deployments then?
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#8288 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AA4BqzJgEqeO9S8m3TjjlZve-v-OPrGKks5t6ZgCgaJpZM4Ue1P5>
.
|
It doesn't look like this is all meant for the starter yaml. |
edit: ah, in this pr starter.yaml also gains RBAC in any case, the bazel deployment at least is not applying these other files, and someday we will probably need the same rules outside of starter. I don't think they are harmful. |
/assign @stevekuznetsov @BenTheElder @cjwagner |
I decided to keep a copy of the RBAC deployments separate from starter.yaml for people who may want to deploy their own versions of specific services without having to apply starter.yaml for RBAC. |
@paulangton did you have to edit any of the RBAC rules? Would be good to review the diff between what we have deployed and what you are proposing here. If there was no necessary diff, this LGTM |
@stevekuznetsov I had to edit all of the RBAC rules. The ones in the Openshift repo were wrapped in Openshift Example: Diff between Openshift (left) and this PR (right):
|
9e1a9cf
to
87345b4
Compare
OK, you could also use List objects to keep them nicely in one document per file. If the changes were:
Then these LGTM |
@stevekuznetsov Unless there is some notable advantage I am not seeing to using a List type, I am going to leave it as is. K8s docs on general configuration as well as RBAC specify config files containing multiple objects separated by the triple hyphen instead of combined in a List type. |
87345b4
to
711babc
Compare
Sure, fine either way. Please add |
711babc
to
60e3057
Compare
|
@stevekuznetsov @cjwagner lgty? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
One change, otherwise this LGTM.
prow/cluster/tide_deployment.yaml
Outdated
@@ -25,6 +25,7 @@ spec: | |||
labels: | |||
app: tide | |||
spec: | |||
serviceAccountName: "tide" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should be commented as well.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good catch, fixed in latest
removed permissive policy added service account to deployments, removed tide rbac from starter.yaml commented out serviceaccounts for use with RBAC added get to hook rbac fixed tide deployment
60e3057
to
82d585b
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: cjwagner, paulangton The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
kind: ClusterRole | ||
apiVersion: rbac.authorization.k8s.io/v1beta1 | ||
metadata: | ||
name: "deck-oauth" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You don't need this here; we use it in openshift because we run a deck instance for our private repos behind an oauth proxy. Unfortunately, the oauth proxy works only on openshift today :/
@@ -25,6 +25,7 @@ spec: | |||
labels: | |||
app: horologium | |||
spec: | |||
# serviceAccountName: "horologium" # Uncomment for use with RBAC |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think you should be able to use this service account regardless of running with rbac or not so it may be worth to uncomment upfront and move the service accounts alongside the deployment manifests.
It would be nice to include the jenkins operator rbac profile too. I don't know what's the best place to put that though, maybe just add it in the source code? |
Integrated RBAC rules from Openshift as per @stevekuznetsov 's suggestion. Rules were added en masse to starter.yaml, but also duplicated in separate deployment configs. Should fix #7950 and clean up leftovers from #8088