Uploaded image for project: 'OpenShift GitOps'
  1. OpenShift GitOps
  2. GITOPS-2615

Controller should use aggregated cluster role as default

XMLWordPrintable

    • Icon: Epic Epic
    • Resolution: Unresolved
    • Icon: Normal Normal
    • None
    • None
    • ArgoCD
    • None
    • Controller should use aggregated cluster role as default
    • False
    • None
    • False
    • To Do
    • 0% To Do, 50% In Progress, 50% Done

      Epic Goal

      • Use an aggregated cluster role for the default role for the controller instead of the current hard-coded role that is created in the namespace by the operator

      See this description of aggregated cluster roles, for details on this K8s feature: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles

      Why is this important?

      • The current default role is hard-coded with a specific set of permissions managed by the GitOps product team. This role is operator managed and cannot be modified by the customer since changes will be reverted by the Operator
      • Using an aggregated cluster role enables customers to easily add their own permissions without having to define a completely new role from scratch using the CONTROLLER_CLUSTER_ROLE environment variable
      • The aggregated role can inherit the permissions from the default admin ClusterRole in OpenShift which removes the onus on the GitOps team to manage the list of permissions.

      Scenarios

      1. Customer has deployed a new CRD and needs to add permissions to the controller to work with that CRD

      Acceptance Criteria (Mandatory)

      • CI - MUST be running successfully with tests automated
      • Release Technical Enablement - Provide necessary release enablement details and documents.

      Dependencies (internal and external)

      This is potentially a breaking change

      Previous Work (Optional):

      Recommended ClusterRole is based on the following which I have been testing successfully for a few weeks now in a lab environment.

      apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata: 
  annotations: 
    rbac.authorization.kubernetes.io/autoupdate: "true"
  name: gitops-controller
aggregationRule: 
  clusterRoleSelectors: 
  - matchLabels: 
      gitops/aggregate-to-controller: "true"
rules: []
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata: 
  name: gitops-controller-admin
  labels: 
    gitops/aggregate-to-controller: "true"
aggregationRule: 
  clusterRoleSelectors: 
  - matchLabels: 
      rbac.authorization.k8s.io/aggregate-to-admin: "true"
rules: []
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata: 
  name: gitops-controller-view
  labels: 
    gitops/aggregate-to-controller: "true"
rules: 
- apiGroups: 
  - '*'
  resources: 
  - '*'
  verbs: 
  - get
  - list
  - watch

      Done Checklist

      • Acceptance criteria are met
      • Non-functional properties of the Feature have been validated (such as performance, resource, UX, security or privacy aspects)
      • User Journey automation is delivered
      • Support and SRE teams are provided with enough skills to support the feature in production environment

            jgwest Jonathan West
            gnunn@redhat.com Gerald Nunn
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated: