Skip to content

feat(helm): reduce scope of rbac permissions and introduce usage of RoleBinding #13387

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 5 commits into
base: master
Choose a base branch
from
Open

feat(helm): reduce scope of rbac permissions and introduce usage of RoleBinding #13387

wants to merge 5 commits into from

Conversation

lukidzi
Copy link
Contributor

@lukidzi lukidzi commented Apr 11, 2025
edited
Loading

Motivation

To improve security, we are introducing a new option that allows the use of RoleBinding instead of ClusterRoleBinding. The default ClusterRoleBinding will also have reduced access to cluster resources.

Implementation information

  • Permissions in the default ClusterRole have been reduced.
  • The default ClusterRole is now split into:
    • A cluster-scoped role for and read only namespaced.
    • A namespaced role for read and write access within specified namespaces.
  • Users can now provide a list of namespaces that are part of the Mesh. When this is configured, we create RoleBindings in those namespaces instead of a single ClusterRoleBinding.

Warning

kubelinter recommend usage of explicit resource names instead of * in ClusterRole. At the moment I've disabled this validator since we want to watch all kuma resources and avoid changes to ClusterRole. Let's discuss if we want to use * with disabled linter or we should explicitly set them.

https://kubernetes.io/docs/reference/access-authn-authz/rbac/#referring-to-resources

Using wildcards in resource and verb entries could result in overly permissive access being granted to sensitive resources. For instance, if a new resource type is added, or a new subresource is added, or a new custom verb is checked, the wildcard entry automatically grants access, which may be undesirable. The principle of least privilege should be employed, using specific resources and verbs to ensure only the permissions required for the workload to function correctly are applied.

Supporting documentation

Fix #13371

@lukidzi lukidzi added the ci/run-full-matrix PR: Runs all possible e2e test combination (expensive use carefully) label Apr 11, 2025
@github-actions GitHub Actions
Copy link
Contributor

Reviewer Checklist

🔍 Each of these sections need to be checked by the reviewer of the PR 🔍:
If something doesn't apply please check the box and add a justification if the reason is non obvious.

  • Is the PR title satisfactory? Is this part of a larger feature and should be grouped using > Changelog?
  • PR description is clear and complete. It Links to relevant issue as well as docs and UI issues
  • This will not break child repos: it doesn't hardcode values (.e.g "kumahq" as an image registry)
  • IPv6 is taken into account (.e.g: no string concatenation of host port)
  • Tests (Unit test, E2E tests, manual test on universal and k8s)
    • Don't forget ci/ labels to run additional/fewer tests
  • Does this contain a change that needs to be notified to users? In this case, UPGRADE.md should be updated.
  • Does it need to be backported according to the backporting policy? (this GH action will add "backport" label based on these file globs, if you want to prevent it from adding the "backport" label use no-backport-autolabel label)

@lukidzi lukidzi marked this pull request as ready for review April 16, 2025 13:05
@lukidzi lukidzi requested a review from a team as a code owner April 16, 2025 13:05
@lukidzi
remove config map
0fdf2bc 
Signed-off-by: Lukasz Dziedziak <[email protected]>
lukidzi
lukidzi commented Apr 16, 2025
View reviewed changes
deployments/charts/kuma/templates/cp-rbac.yaml
{{- if .Values.controlPlane.supportGatewaySecretsInAllNamespaces }}
- secrets
{{- end }}
{{- if and .Values.transparentProxy.configMap.enabled .Values.transparentProxy.configMap.config }}
- configmaps
{{- end }}
Copy link
Contributor Author

@lukidzi lukidzi Apr 16, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@bartsmykla We don't need after #13409 ?

@lukidzi lukidzi requested a review from slonka April 16, 2025 15:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bartsmykla bartsmykla Awaiting requested review from bartsmykla bartsmykla is a code owner automatically assigned from kumahq/kuma-maintainers

@Icarus9913 Icarus9913 Awaiting requested review from Icarus9913 Icarus9913 is a code owner automatically assigned from kumahq/kuma-maintainers

@slonka slonka Awaiting requested review from slonka

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
ci/run-full-matrix PR: Runs all possible e2e test combination (expensive use carefully)
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Limit rbac permissions for control-plane
1 participant
@lukidzi