Account for discovered policies(kyverno, vapb etc) in aggregaterole #1907
Conversation
|
Skipping CI for Draft Pull Request. |
yiraeChristineKim
force-pushed
the
dicovered-kyverno-gatekeeper-vapb
branch
2 times, most recently
from
ea72ae6 to
1eab00b
Compare
openshift-ci
bot
requested review from
dhaiducek,
gparvin,
JustinKuli and
manravi
| resources: ["*"] | ||
| verbs: ["create", "get", "list", "watch", "update", "delete", "deletecollection", "patch"] | ||
| - apiGroups: ["admissionregistration.k8s.io"] | ||
| resources: ["validatingadmissionpolicybindings"] |
There was a problem hiding this comment.
Only bindings? Or should these include just validatingadmissionpolicy?
There was a problem hiding this comment.
We don't show validatingadmissionpolicy in discovered policy so
There was a problem hiding this comment.
I added! Thanks validatingadmissionpolicy is connected to validatingadmissionpolicybindings so it is good to add this! Thanks!!
| verbs: ["create", "get", "list", "watch", "update", "delete", "deletecollection", "patch"] | ||
| - apiGroups: ["kyverno.io"] | ||
| resources: ["policies", "clusterpolicies"] | ||
| verbs: ["create", "get", "list", "watch", "update", "delete", "deletecollection", "patch"] |
There was a problem hiding this comment.
nit: Missing trailing newline
| verbs: ["get", "list", "watch", "update", "patch"] | ||
| - apiGroups: ["admissionregistration.k8s.io"] | ||
| resources: ["validatingadmissionpolicybindings"] | ||
| verbs: ["get", "list", "watch", "update", "patch"] |
There was a problem hiding this comment.
nit: Missing trailing newline
| verbs: ["get", "list", "watch"] | ||
| - apiGroups: ["kyverno.io"] | ||
| resources: ["policies", "clusterpolicies"] | ||
| verbs: ["get", "list", "watch"] |
There was a problem hiding this comment.
nit: Missing trailing newline
| verbs: ["get", "list", "watch", "update", "patch"] | ||
| - apiGroups: ["admissionregistration.k8s.io"] | ||
| resources: ["validatingadmissionpolicybindings"] | ||
| verbs: ["get", "list", "watch", "update", "patch"] |
There was a problem hiding this comment.
Should this have Kvyerno also?
There was a problem hiding this comment.
you mean validatingadmissionpolicybindings has kyverno?
There was a problem hiding this comment.
No, sorry the lines here are unrelated. I mean kyverno.io is missing in the edit role.
There was a problem hiding this comment.
I missed Thanks!
| - apiGroups: ["kyverno.io"] | ||
| resources: ["policies", "clusterpolicies"] | ||
| verbs: ["create", "get", "list", "watch", "update", "delete", "deletecollection", "patch"] |
There was a problem hiding this comment.
I could be swayed on Gatekeeper since Gatekeeper is included in an ACM subscription, but I'm not sure these permissions should allow anything other than a fetch for Kyverno objects since ACM doesn't include/support Kyverno.
| - apiGroups: ["kyverno.io"] | |
| resources: ["policies", "clusterpolicies"] | |
| verbs: ["create", "get", "list", "watch", "update", "delete", "deletecollection", "patch"] | |
| - apiGroups: ["kyverno.io"] | |
| resources: ["policies", "clusterpolicies"] | |
| verbs: ["get", "list", "watch"] |
There was a problem hiding this comment.
good point! Who should I ask this?
There was a problem hiding this comment.
I'm ok with get, list and watch but I don't think we want to go beyond those. What are we trying to do that needs more than just reading their resources?
There was a problem hiding this comment.
@gparvin you are right. We need list, get (+watch maybe) to display on discovered policy table
There was a problem hiding this comment.
@yiraeChristineKim Did we need more than get/list/watch on the other resources? Make sure you are requesting the least amount of permissions possible to reduce the possibility of security issues in this area.
There was a problem hiding this comment.
We need get, list, and watch, but I primarily want to ensure compatibility with this PR. I am not entirely sure how the ClusterRole is being used
yiraeChristineKim
force-pushed
the
dicovered-kyverno-gatekeeper-vapb
branch
3 times, most recently
from
d6f7706 to
e48a233
Compare
| verbs: ["get", "list", "watch"] | ||
| - apiGroups: ["submarineraddon.open-cluster-management.io"] | ||
| resources: ["submarinerconfigs", "submarinerconfigs/status"] | ||
| verbs: ["create", "get", "list", "watch", "update", "delete", "deletecollection", "patch"] | ||
| - apiGroups: ["mutations.gatekeeper.sh"] | ||
| resources: ["*"] | ||
| verbs: ["create", "get", "list", "watch", "update", "delete", "deletecollection", "patch"] |
There was a problem hiding this comment.
Double check whether get, list, watch is enough.
| verbs: ["create", "get", "list", "watch", "update", "delete", "deletecollection", "patch"] | ||
| - apiGroups: ["admissionregistration.k8s.io"] | ||
| resources: ["validatingadmissionpolicybindings", "validatingadmissionpolicies"] | ||
| verbs: ["create", "get", "list", "watch", "update", "delete", "deletecollection", "patch"] |
There was a problem hiding this comment.
Double check whether get, list, watch is enough. In the future I expect we could begin adopting VAP in the hub once it's supported across the OCP releases we run on, but for now I'm not sure why we would want the extra permissions.
There was a problem hiding this comment.
so only get, list, watch? I am not sure why #1723 added extra verb to gatekeeper constraint
| verbs: ["get", "list", "watch"] | ||
| - apiGroups: ["submarineraddon.open-cluster-management.io"] | ||
| resources: ["submarinerconfigs", "submarinerconfigs/status"] | ||
| verbs: ["get", "list", "watch", "update", "patch"] | ||
| - apiGroups: ["mutations.gatekeeper.sh"] |
There was a problem hiding this comment.
If RBAC is reduced above, make sure update and patch are removed here too.
This will allow the discovered policies table to show kyverno policies(clusterPolicy, policy), gatekeeper mutations, validatingAdmissionPolicyBinding, policyreports for view users. Signed-off-by: yiraeChristineKim <[email protected]>
yiraeChristineKim
force-pushed
the
dicovered-kyverno-gatekeeper-vapb
branch
from
e48a233 to
535ee2c
Compare
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: dhaiducek, gparvin, yiraeChristineKim The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
Description
This will allow the discovered policies table to show kyverno policies(clusterPolicy, policy), gatekeeper mutations, validatingAdmissionPolicyBinding, policyreports for view users.
Related Issue
https://issues.redhat.com/browse/ACM-16116
https://issues.redhat.com/browse/ACM-16959
Changes Made
Add roles (gatekeeper mutation, kyverno policies, clusterpolicyReport)
Checklist
Additional Notes
Related: #1723
Reviewers
@JustinKuli @dhaiducek @gparvin
Definition of Done