Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: support define policy rules in helm values #8854

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

chore: support define policy rules in helm values #8854

wants to merge 3 commits into from

Conversation

cjc7373
Copy link
Contributor

@cjc7373 cjc7373 commented Jan 23, 2025

No description provided.

@github-actions github-actions bot added the size/M Denotes a PR that changes 30-99 lines. label Jan 23, 2025
@codecov Codecov
Copy link

codecov bot commented Jan 23, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 60.32%. Comparing base (532406f) to head (2c58218).
Report is 3 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #8854      +/-   ##
==========================================
+ Coverage   60.26%   60.32%   +0.05%     
==========================================
  Files         382      382              
  Lines       46259    46259              
==========================================
+ Hits        27880    27904      +24     
+ Misses      15700    15681      -19     
+ Partials     2679     2674       -5
Flag Coverage Δ
unittests 60.32% <ø> (+0.05%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@cjc7373 cjc7373 marked this pull request as ready for review January 23, 2025 07:19
@cjc7373 cjc7373 requested review from leon-inf, Y-Rookie and a team as code owners January 23, 2025 07:19
@cjc7373 cjc7373 changed the title chore: suuport define policy rules in helm values chore: support define policy rules in helm values Jan 23, 2025
wangyelei
wangyelei reviewed Jan 23, 2025
View reviewed changes
deploy/helm/templates/rbac/rbac_manager_additaional_role.yaml
# user defined rules
{{- with .Values.rbac.additionalPolicyRules }}
{{ toYaml . }}
{{- end }}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why not definied in cmpd?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Permissions defined in cmpd can't exceed the permission owned by kubeblocks. So if a user want to define a permission kb does not own by default, he can add it here so that kb owns it.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Where is this limitation enforced? Is it a restriction within Kubernetes itself, or does KB have validation logic (I can't find the code)?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's enforced by Kubernetes. (doc: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#privilege-escalation-prevention-and-bootstrapping)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Got it, please update PR description correspondingly.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe we should just allow the escalation by adding the escalate verb and the bind verb to the RBAC rules of KB, according to the K8s doc.

What do you think? @leon-inf

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would that be too dangerous?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The point is:

  • It makes no sense to add additional but useless rules for KB.
  • Rules that need to be added are unpredictable.

zjx20
zjx20 reviewed Jan 23, 2025
View reviewed changes
apis/apps/v1/componentdefinition_types.go Outdated Show resolved Hide resolved
deploy/helm/templates/rbac/rbac_manager_additaional_role.yaml
# user defined rules
{{- with .Values.rbac.additionalPolicyRules }}
{{ toYaml . }}
{{- end }}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Where is this limitation enforced? Is it a restriction within Kubernetes itself, or does KB have validation logic (I can't find the code)?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wangyelei wangyelei wangyelei left review comments

@zjx20 zjx20 zjx20 left review comments

@leon-inf leon-inf Awaiting requested review from leon-inf leon-inf is a code owner

@Y-Rookie Y-Rookie Awaiting requested review from Y-Rookie Y-Rookie is a code owner

At least 2 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
size/M Denotes a PR that changes 30-99 lines.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@cjc7373 @zjx20 @wangyelei