Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

added rbac example discussed in kubernetes/ingress issue #266 #747

Merged
merged 1 commit into from
May 23, 2017

Conversation

nevetS
Copy link

@nevetS nevetS commented May 22, 2017

After struggling a bit myself with implementing an ingress controller, I ran into issue #266. Following the advice in that thread, I was able to move forward with my own implementation.

The discussion mentions creating an example a couple of times, but no example exists and no pull request exists that I can see, so I put one together.

I'm happy to revise this as necessary to have it included in the project.

@k8s-ci-robot
Copy link
Contributor

Thanks for your pull request. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

📝 Please follow instructions at https://github.com/kubernetes/kubernetes/wiki/CLA-FAQ to sign the CLA.

It may take a couple minutes for the CLA signature to be fully registered; after that, please reply here with a new comment and we'll verify. Thanks.


Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@k8s-ci-robot k8s-ci-robot added the cncf-cla: no Indicates the PR's author has not signed the CNCF CLA. label May 22, 2017
@k8s-reviewable
Copy link

This change is Reviewable

@aledbf aledbf mentioned this pull request May 22, 2017
@aledbf
Copy link
Member

aledbf commented May 22, 2017

@nevetS please sign the CLA

@coveralls
Copy link

Coverage Status

Coverage remained the same at 47.094% when pulling fb29da7 on nevetS:master into b6d11ca on kubernetes:master.

@nevetS
Copy link
Author

nevetS commented May 22, 2017

I have now signed the agreement.

@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. and removed cncf-cla: no Indicates the PR's author has not signed the CNCF CLA. labels May 22, 2017
apiVersion: v1
kind: ServiceAccount
metadata:
name: nginx-ingress-serviceaccount
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd omit the -serviceaccount since it's inherent in the kind

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I thought about changing this, but I'm reluctant and here's why:

Because this is an example, I think it should be clear what maps to what without having to do any mental gymnastics. The ClusterRole, namespace, ServiceAccount, Role, RoleBinding, and ClusterRoleBinding can all drop the -thingtype extension, but then we'd have 6 objects all named nginx-ingress and it might cause confusion to people who are making modifications to the example in their own systems. While it's a bit of extra text and seems obvious, it's a little more clear for someone new.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@nevetS l think you can review the ingress's source code, and then you can write a streamline rabc yaml.

rules:
- apiGroups:
- ""
- "extensions"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

None of these resources are in the extensions API group, can omit that from this rule

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This change has been made and committed.

- get
- list
- watch
- update
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why does it need update rights on services?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@liggitt because when the Ingress rule uses a namedPort (string, like web) we don't have the required information in the endpoint

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That explains the need for read access, but not write access

Copy link
Member

@aledbf aledbf May 22, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry, I forgot to mentioned that we update the service adding an annotation here

Copy link
Member

@liggitt liggitt May 22, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does an ingress named port refer to the name of the serviceport or the name of the container port? The name of the service port is available in the endpoint object.

Also, that implementation of resolving the named port to a single numeric port doesn't work if pods are non-homogenous (some expose port 80 as "web", some expose port 90 as "web")

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@liggitt I just pushed a refactoring to remove the annotation.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@nevetS please remove the update right in the service

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i think use does't to create role , you can only create serviceAccount , culster-role, rolebinding , it 's sample and correct.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

updated service permissions and reflected the updated in README.md.

- "extensions"
resources:
- configmaps
- secrets
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Global list/watch on secrets is very escalating. Is this always required? Could it be limited to individual gets?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Global list/watch on secrets is very escalating

Ingress rules can be created/modified dynamically so is not possible to know the namespace/name of the secrets

Could it be limited to individual gets?

Is possible in the case of the ConfigMap but we don't know the name beforehand

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can the secret be retrieved at time of use by name?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes I can retrieve the secret by name but I need to know then a secret is updated or removed (and that is the reason of the use of informers)

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure if I follow here. Should I make a change to the example?

@aledbf
Copy link
Member

aledbf commented May 22, 2017

@liggitt thank you for reviewing this PR!

@coveralls
Copy link

Coverage Status

Coverage remained the same at 47.094% when pulling 1cfcd63 on nevetS:master into b6d11ca on kubernetes:master.

@coveralls
Copy link

Coverage Status

Coverage remained the same at 47.094% when pulling 1cfcd63 on nevetS:master into b6d11ca on kubernetes:master.

@aledbf
Copy link
Member

aledbf commented May 23, 2017

@nevetS also please squash the commits

@coveralls
Copy link

Coverage Status

Coverage decreased (-0.5%) to 46.614% when pulling f445bf501f0525f1a302cb17c15cb81f893e8d86 on nevetS:master into b6d11ca on kubernetes:master.

@nevetS
Copy link
Author

nevetS commented May 23, 2017

@huangjiasingle - your comment to review the ingress code, get rid of the role and streamline the permissions is the only one that I haven't addressed.

The reason for separating the role permissions from the cluster role permissions is to separate what is needed for the controller from what is needed for the entire cluster. That way, the example shows the most secure implementation of role based access control.

You are correct in asserting that I have not reviewed the code. I've relied on the discussion in issue #266 to build this, along with some similar postings that I've found on the web and my own experimentation stripping away permissions and testing with a simple implementation.

I don't have the time to do such a review right at this moment as I have competing priorities and I'm unfamiliar with the code, but I am happy to make changes that reflect the original goal. I'm leery to strip the role permissions completely because I have stripped individual role permissions during my own testing and found that they are necessary.

@aledbf
Copy link
Member

aledbf commented May 23, 2017

@nevetS please squash the commits so we can merge this PR. I a later PR we can improve the example.

resources:
- events
verbs:
- create
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In my case to get TLS working with multiple namespaces, I had to add patch as well (#575 (comment))

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

added

permissions are granted to the Role named `nginx-ingress-role`

* `configmaps`,`secrets`,`pods`: get
* `endpoints`: get, create, update
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

rules:
- apiGroups:
- ""
resources:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it would be nice to order the resources alphabetically ascending to keep future diffs lean

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this has been adjusted.

@nevetS
Copy link
Author

nevetS commented May 23, 2017

I have made the requested changes and squashed the commits. Thank you to everyone!

@coveralls
Copy link

Coverage Status

Coverage decreased (-0.05%) to 46.584% when pulling d7c999c on nevetS:master into 2ddf6c9 on kubernetes:master.

@coveralls
Copy link

Coverage Status

Coverage decreased (-0.02%) to 46.614% when pulling d7c999c on nevetS:master into 2ddf6c9 on kubernetes:master.

@aledbf aledbf self-assigned this May 23, 2017
@aledbf
Copy link
Member

aledbf commented May 23, 2017

/lgtm

@aledbf aledbf merged commit d13328b into kubernetes:master May 23, 2017
@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label May 23, 2017
@aledbf
Copy link
Member

aledbf commented May 23, 2017

@nevetS thanks!

@nevetS nevetS mentioned this pull request May 23, 2017
@0xMadao
Copy link

0xMadao commented May 24, 2017

hi, @nevetS the serviceaccount nginx-ingress-serviceaccount is in the nginx-ingress namespaces, while the nginx-ingress-controller deployment is in the kube-system, how to use the nginx-ingress-serviceaccount when crossing namespaces? cause I didn't find any parameters about specified namespaces in pod.spec

@nevetS
Copy link
Author

nevetS commented May 24, 2017

In the example shown in the readme, the controller is in the nginx-ingress namespace.

The reason for the separation in this example is so that the reader has a clear understanding of what is required for the controller itself, and what is required for the entire cluster.

If you want to run in a namespace other than what is specified in the example, you can adjust the Role permissions namespace to the namespace where you have the nginx-ingress-controller implemented. You would also need to adjust the namespace of the service account, and you would not need the namespace defined in the example yml file.

If you have already implemented the example file without realizing you have a controller in a different namespace, you can use kubectl delete to delete the objects and then recreate them. Or re-define them and use kubectl update (though I don't have any experience using update on these objects, so I don't personally know if there are any gotchas involved).

i.e.

kubectl --namespace=nginx-ingress delete ServiceAccount nginx-ingress-serviceaccount
kubectl --namespace=nginx-ingress delete Role nginx-ingress-role
kubectl --namespace=nginx-ingress delete Namespace nginx-ingress
# then create a file with the service account and role defined in your desired namespace
kubectl create -f ./serviceaccount.yml
kubectl create -f ./role.yml
# and then reapply the bindings to the service account - again, in a new file (or you can have them all defined in a single file if you want)
kubectl create -f ./rolebindings.yml
# and then you'd likely need to update your nginx-ingress-controller to reflect a new serviceaccount
kubectl delete Deployment nginx-ingress-controller
#edit the nginx-ingress-controller file to include your service account
kubectl create -f ./yourcontrollerdefinition.yml
#and since your ip address/external hostname may have changed if you are in a cloud provider,
# adjust any dns records that aren't automatically updated

@nevetS
Copy link
Author

nevetS commented May 24, 2017

@jeremywu0127 I should also point out that when creating permissions, it's very easy to give access to secrets to the default service account. I like to have my ingress controller in a separate namespace because I don't want any other process to inadvertently gain access to my externally facing tls certificate secrets.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

9 participants