Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Improve setup of ClusterRole and ClusterRoleBinding for autodiscover #3134

Closed
david-kow opened this issue May 25, 2020 · 2 comments
Closed
Labels
discuss We need to figure this out >feature Adds or discusses adding a feature to the product v1.2.0

Comments

@david-kow
Copy link
Contributor

Autodiscover is a feature available in a number of Beats that enables driving configuration from Pod configuration (via annotations) as new Pods are appearing instead of driving it from Beats configuration directly. We want to support autodiscover out-of-the-box in Beat CRD.

To perform a discovery, Beat pod needs to have clusterwide permissions to get, list and watch pods and namespaces.

Similarly to #3133, we can leave it up to the user to configure, do it as a part of the installation or do it in the controller.

So far we agreed to do it in the controller (behind a flag) but it does have downsides:

  • it requires the operator to have additional permissions (to create clusterroles/clusterrolebindings)
  • delete story is not great as all our CRs are namespaced and cluster-wide resource can't have namespaced owner. This means that if someone creates and deletes Beat CR they will be left with these autodiscover role and binding. If someone applies and deletes all-in-one.yaml and create Beat CR in between it will be also left behind. To do it properly we would need to make sure that no other Beat is using it, ie. list all Beats and check if they are using the default service account.

I think I'd be for putting it in the manifest generation code. But if we decide otherwise, it seems to make sense to align this decision with the decision for #3133.

@botelastic botelastic bot added the triage label May 25, 2020
@david-kow david-kow added discuss We need to figure this out v1.2.0 and removed triage labels May 25, 2020
@botelastic botelastic bot added the triage label May 25, 2020
@david-kow david-kow added the >feature Adds or discusses adding a feature to the product label May 25, 2020
@botelastic botelastic bot removed the triage label May 25, 2020
@david-kow david-kow changed the title Improve removal of default autodiscoverClusterRole and ClusterRoleBinding Improve setup of ClusterRole and ClusterRoleBinding for autodiscover May 25, 2020
This was referenced May 25, 2020
@david-kow
Copy link
Contributor Author

To address the concerns above, the following is currently implemented as a part of #3041:

  • ClusterRole with correct autodiscover permissions is created as a part of the ECK installation
  • The operator gets a permission to create bindings to only that ClusterRole
  • ClusterRoleBinding and ServiceAccount is created for each Beat that doesn't have ServiceAccount set by the user
  • The operator filters the events for ClusterRoleBindings that don't concern it
  • The operator removes ClusterRoleBinding when Beat resource is deleted based on well-known name template
  • Default ServiceAccount has a well-known name template that allows users to bind their own roles to it, independently from the operator

@david-kow
Copy link
Contributor Author

This is implemented with #3041. Docs issue will come separately.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
discuss We need to figure this out >feature Adds or discusses adding a feature to the product v1.2.0
Projects
None yet
Development

No branches or pull requests

1 participant