Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow configuring/toggling/removing of full_control_namespace role binding #551

Open
phlg opened this issue Jan 23, 2025 · 0 comments
Open

Allow configuring/toggling/removing of full_control_namespace role binding #551

phlg opened this issue Jan 23, 2025 · 0 comments

Comments

@phlg
Copy link
Contributor

phlg commented Jan 23, 2025
edited
Loading

Hello,

Currently, Onyxia creates the full_control_namespace RoleBinding in every namespaces it creates, using the hardcoded admin ClusterRole :

onyxia-api/onyxia-api/src/main/java/fr/insee/onyxia/api/services/impl/kubernetes/KubernetesService.java

Lines 120 to 138 in 2b4e652

new RoleBindingBuilder()
.withNewMetadata()
.withLabels(Map.of("createdby", "onyxia"))
.withName("full_control_namespace")
.withNamespace(namespaceId)
.endMetadata()
.withSubjects(
new SubjectBuilder()
.withKind(getSubjectKind(owner))
.withName(name)
.withApiGroup("rbac.authorization.k8s.io")
.withNamespace(namespaceId)
.build())
.withNewRoleRef()
.withApiGroup("rbac.authorization.k8s.io")
.withKind("ClusterRole")
.withName("admin")
.endRoleRef()
.build());

This behavior is not always desirable, and when it is, the aggregated ClusterRole admin can be more permissive than necessary. Is it possible to mitigate this, for instance by :

  • adding a flag to toggle the creation of the full_control_namespace RoleBinding by Onyxia
  • allowing to change the ClusterRole referenced in full_control_namespace
  • removing this entirely, if it is no longer useful for anyone

Thanks !

EDIT : I realize I didn't even mention the main issue at hand. The hardcoded reference to the admin ClusterRole has a direct impact on Onyxia configuration. Whenever the Kubernetes cluster running Onyxia adds a new operator (or otherwise "registers" any new CRD on the aggregated view/edit/admin ClusterRoles), the relevant RBAC permissions must be added to a ClusterRole binded to the ServiceAccount running onyxia-api. Failing to do so triggers errors on the onboarding endpoint, when it tries to patch the full_control_namespace RoleBinding, which in turns makes onyxia-web unusable (alert with 500 error on the homepage).

For instance, after installing External Secrets Operator in our cluster, we could see the following in onyxia-api's logs :

2025-01-29T09:03:51.484Z ERROR 27 --- [nio-8080-exec-3] o.a.c.c.C.[.[.[.[dispatcherServlet]      : Servlet.service() for servlet [dispatcherServlet] in context with path [/api] threw exception [Request processing failed: io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: POST at: https://redacted:443/apis/rbac.authorization.k8s.io/v1/namespaces/redacted/rolebindings. Message: rolebindings.rbac.authorization.k8s.io "full_control_namespace" is forbidden: user "system:serviceaccount:onyxia:onyxia-api" (groups=["system:serviceaccounts" "system:serviceaccounts:onyxia" "system:authenticated"]) is attempting to grant RBAC permissions not currently held:
{APIGroups:["external-secrets.io"], Resources:["clustersecretstores"], Verbs:["create" "delete" "deletecollection" "patch" "update" "get" "watch" "list"]}
{APIGroups:["external-secrets.io"], Resources:["externalsecrets"], Verbs:["create" "delete" "deletecollection" "patch" "update" "get" "watch" "list"]}
{APIGroups:["external-secrets.io"], Resources:["pushsecrets"], Verbs:["create" "delete" "deletecollection" "patch" "update" "get" "watch" "list"]}
{APIGroups:["external-secrets.io"], Resources:["secretstores"], Verbs:["create" "delete" "deletecollection" "patch" "update" "get" "watch" "list"]}
{APIGroups:["generators.external-secrets.io"], Resources:["acraccesstokens"], Verbs:["create" "delete" "deletecollection" "patch" "update" "get" "watch" "list"]}
{APIGroups:["generators.external-secrets.io"], Resources:["clustergenerators"], Verbs:["create" "delete" "deletecollection" "patch" "update" "get" "watch" "list"]}
{APIGroups:["generators.external-secrets.io"], Resources:["ecrauthorizationtokens"], Verbs:["create" "delete" "deletecollection" "patch" "update" "get" "watch" "list"]}
{APIGroups:["generators.external-secrets.io"], Resources:["fakes"], Verbs:["create" "delete" "deletecollection" "patch" "update" "get" "watch" "list"]}
{APIGroups:["generators.external-secrets.io"], Resources:["gcraccesstokens"], Verbs:["create" "delete" "deletecollection" "patch" "update" "get" "watch" "list"]}
{APIGroups:["generators.external-secrets.io"], Resources:["githubaccesstokens"], Verbs:["create" "delete" "deletecollection" "patch" "update" "get" "watch" "list"]}
{APIGroups:["generators.external-secrets.io"], Resources:["passwords"], Verbs:["create" "delete" "deletecollection" "patch" "update" "get" "watch" "list"]}
{APIGroups:["generators.external-secrets.io"], Resources:["quayaccesstokens"], Verbs:["create" "delete" "deletecollection" "patch" "update" "get" "watch" "list"]}
{APIGroups:["generators.external-secrets.io"], Resources:["vaultdynamicsecrets"], Verbs:["create" "delete" "deletecollection" "patch" "update" "get" "watch" "list"]}
{APIGroups:["generators.external-secrets.io"], Resources:["webhooks"], Verbs:["create" "delete" "deletecollection" "patch" "update" "get" "watch" "list"]}.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@phlg