[stable/nginx-ingress] Add RBAC support #1235
Conversation
|
Thanks for your pull request. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). 📝 Please follow instructions at https://github.com/kubernetes/kubernetes/wiki/CLA-FAQ to sign the CLA. It may take a couple minutes for the CLA signature to be fully registered; after that, please reply here with a new comment and we'll verify. Thanks.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
k8s-ci-robot
added
the
cncf-cla: no
|
Hi @jsulinski. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
k8s-ci-robot
added
needs-ok-to-test
|
@jsulinski: you can't request testing unless you are a kubernetes member. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
| @@ -22,6 +25,9 @@ spec: | |||
| component: "{{ .Values.controller.name }}" | |||
| release: {{ .Release.Name }} | |||
| spec: | |||
| {{- if .Values.controller.rbac.enabled }} | |||
| serviceAccountName: {{ template "fullname" . }} | |||
| {{- end }} | |||
There was a problem hiding this comment.
I submitted a similar update for Traefik in #1225. When switching RBAC enabled from true to false and helm installing, I found the serviceAccountName stays as the Traefik specific one rather than being reset to default. I wondered if you had encountered that issue here?
There was a problem hiding this comment.
No, I didn't experience this. I would presume the issue is elsewhere in your case, as this conditional logic is very simple.
There was a problem hiding this comment.
@jsulinski hmmm strange the Traefik chart doesn't have any complex logic here, the switch is pretty much identical.
There was a problem hiding this comment.
Should this also have a default service account? https://github.com/kubernetes/charts/blob/master/stable/kube2iam/templates/daemonset.yaml#L24
There was a problem hiding this comment.
I believe you'll also want to apply this to the controller-daemonset.yaml.
There was a problem hiding this comment.
I agree. Pulled your changes.
| @@ -9,6 +9,9 @@ metadata: | |||
| heritage: {{ .Release.Service }} | |||
| release: {{ .Release.Name }} | |||
| name: {{ template "controller.fullname" . }} | |||
| {{- if .Values.controller.rbac.enabled }} | |||
| namespace: {{ .Release.Namespace }} | |||
There was a problem hiding this comment.
This seems weird. I think we prefer to leave out the namespace in the metadata section of manifests and let helm take care of that when the --namespace flag is used.
However, you probably need it when you reference the subject in the role bindings, but it shouldn't be required here. Can you give it a try? (including the other manfiests)
There was a problem hiding this comment.
Updated, thanks so much! You were spot on.
| # Here: "<ingress-controller-leader>-<nginx>" | ||
| # This has to be adapted if you change either parameter | ||
| # when launching the nginx-ingress-controller. | ||
| - "ingress-controller-leader-nginx" |
There was a problem hiding this comment.
This seems like it should be a user-supplied list defaulting to ["ingress-controller-leader-nginx"].
There was a problem hiding this comment.
Agreed. Will update.
|
This looks great. Hope it's merged soon. I think the example RBAC rules here have been updated in the last few days. Might want to pull in the latest version. |
|
Disregard, I made a mistake, when I merged your branch ... derp. |
stable/nginx-ingress/values.yaml
Outdated
| @@ -36,6 +36,10 @@ controller: | |||
| ## | |||
| kind: Deployment | |||
|
|
|||
| ## enable RBAC as per: https://github.com/kubernetes/ingress/tree/master/examples/rbac/nginx and https://github.com/kubernetes/ingress/issues/266 | |||
| rbac: | |||
| enabled: false | |||
There was a problem hiding this comment.
nit: The two charts with optional RBAC support that have merged seem to be stable/etcd-operator and incubator/istio and both use .Values.rbac.install as the flag. Personally i prefer enabled, but thought i'd point it out for consistency.
There was a problem hiding this comment.
Great point. I'll update when I have a free moment.
There was a problem hiding this comment.
fyi, looks like the Traefik chart is merged w/ rbac.enabled, 👍
https://github.com/kubernetes/charts/blob/master/stable/traefik/values.yaml#L63
There was a problem hiding this comment.
Sticking with rbac.enabled.
|
Once merged, it will solve: #927 |
| - apiGroups: | ||
| - "" | ||
| resources: | ||
| - events |
There was a problem hiding this comment.
nit; spacing is off just a bit
| - apiGroups: | ||
| - "" | ||
| resources: | ||
| - nodes |
There was a problem hiding this comment.
when using --watch-namespace I had to add namespaces here to avoid the following error:
F0710 18:20:42.008164 10 launch.go:145] no watchNamespace with name stage-1-osf found: User "system:serviceaccount:stage-1-osf:mfjzdy-nginx-ingress" cannot get namespaces in the namespace "stage-1-osf".: "Unknown user \"system:serviceaccount:stage-1-osf:mfjzdy-nginx-ingress\"" (get namespaces stage-1-osf)There was a problem hiding this comment.
Can you elaborate on this?
There was a problem hiding this comment.
The controller is attempting to request a list of namespaces and due to lack of permissions throws an exception (get namespaces stage-1-osf). This command option essentially allows you to have the controller only watch a specified namespace for ingress' tagged with nginx, rather than a single global ingress nginx controller for the entire cluster.
In our case we are evaluating dedicated ip/ingress for each significant component of a larger application, thinking more towards a potential future of adding ModSecurity at this controller ingress point.
There was a problem hiding this comment.
Can you share an example? I haven't used --watch-namespace yet.
There was a problem hiding this comment.
.─────────────────.
_.─' `──.
( Internet )
`───. _.──'
`───────────────'
│
▼
┌───────────────────────┐
│ Google Load Balancer │
└───────────────────────┘
│
┌─────────────────┴──────────────────┐
┌─Cluster #1────────┼────────────────────────────────────┼───────────────────┐
│ ▼ ▼ │
│ ┌Namespace (Testing)──────────────┐ ┌Namespace (Staging)──────────────┐ │
│ │┌──────────────┐ ┌──────────────┐│ │┌──────────────┐ ┌──────────────┐│ │
│ ││ Ingress │ │ Default ││ ││ Ingress │ │ Default ││ │
│ ││ Controller │ │ Backend ││ ││ Controller │ │ Backend ││ │
│ │└──────────────┘ └──────────────┘│ │└──────────────┘ └──────────────┘│ │
│ │ │ ▲ │ │ │ ▲ │ │
│ │ └───────┬────────┘ │ │ └───────┬────────┘ │ │
│ │ │ │ │ │ │ │
│ │ ┌────────────────┐ │ │ ┌────────────────┐ │ │
│ │ │ ingress.yaml │ │ │ │ ingress.yaml │ │ │
│ │ └────────────────┘ │ │ └────────────────┘ │ │
│ │ │ │ │ │ │ │
│ │ ┌──────────┼──────────┐ │ │ ┌──────────┼──────────┐ │ │
│ │ ▼ ▼ ▼ │ │ ▼ ▼ ▼ │ │
│ │ ┌───────┐ ┌───────┐ ┌───────┐ │ │ ┌───────┐ ┌───────┐ ┌───────┐ │ │
│ │ │ Pod 1 │ │ Pod 2 │ │ Pod 3 │ │ │ │ Pod 1 │ │ Pod 2 │ │ Pod 3 │ │ │
│ │ └───────┘ └───────┘ └───────┘ │ │ └───────┘ └───────┘ └───────┘ │ │
│ └─────────────────────────────────┘ └─────────────────────────────────┘ │
│ │
└────────────────────────────────────────────────────────────────────────────┘
There was a problem hiding this comment.
please tell me how you made that diagram! (programatically i hope)
There was a problem hiding this comment.
Thank you! I'll work on this as soon as I have a moment.
There was a problem hiding this comment.
@viglesiasce, using this awesome tool https://monodraw.helftone.com/
|
I'm working on testing revisions but having some issues with my RBAC enabled Kube cluster and chart. I'll push the changes without testing if I can't make progress soon. |
|
This is tested with all changes except making resourceNames a value. I'll do that as soon as I can, or anyone else is welcome to. |
|
Thanks @icereval! |
|
@bison Thanks, updated. |
|
Thanks for your pull request. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). 📝 Please follow instructions at https://github.com/kubernetes/kubernetes/wiki/CLA-FAQ to sign the CLA. It may take a couple minutes for the CLA signature to be fully registered; after that, please reply here with a new comment and we'll verify. Thanks.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
k8s-ci-robot
added
cncf-cla: no
|
@icereval Do you want to add watchNamespace too? I haven't had time to test this yet but it would be good to add. Thanks! |
|
I can take care of watchNamespace, too, since it's RBAC-related. Will ping you all when I think it's ready. |
|
I think this will do it. RBAC for I've not actually tested this, but wanted to document it before I shut down for the night. |
|
Thanks a lot! I tested this and it works for my albeit limited use case. I have not tested namespaces, however. The design you described for clusterRole makes sense to me, but I would take that with a grain of salt. :) |
* this produces the correctly formatted output we are looking for, specifically with regard to the extra carriage return which didn't want to be chomped away by the usual `-` method.
|
/ok-to-test |
k8s-ci-robot
removed
the
needs-ok-to-test
|
/lgtm |
|
Awesome. Thanks a lot for helping get this over the finish line! Really appreciate it. |
This option was added helm#1235 by @jsulinski, but as best as I can tell, `defaultSSLCertificate` was not wired up.
* nginx-ingress: fix spacing for events * Add RBAC support * Add RBAC support for nginx-ingress based on: helm/charts#1235 * Pull in new RBAC changes from kubernetes/ingress-nginx@4618fd2 * Move resourceNames to a value * templates: use a range loop to render the resourceNames * this produces the correctly formatted output we are looking for, specifically with regard to the extra carriage return which didn't want to be chomped away by the usual `-` method. * Tweak RBAC * Bump chart versions * Fix README * Restrict namespace RBAC if scoped
Enable RBAC as per: https://github.com/kubernetes/ingress/tree/master/examples/rbac/nginx and kubernetes/ingress-nginx#266