Skip to content

advanced router role #11715

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
rajatchopra wants to merge 1 commit into from
Closed

advanced router role #11715

rajatchopra wants to merge 1 commit into from

Conversation

@rajatchopra
Copy link
Contributor

@rajatchopra rajatchopra commented Nov 1, 2016
edited
Loading

Follow up to #11528

deads2k
deads2k reviewed Nov 1, 2016
View reviewed changes
pkg/cmd/server/bootstrappolicy/policy.go Outdated
Name: PrivilegedRouterRoleName,
},
Rules: []authorizationapi.PolicyRule{
authorizationapi.NewRule("list", "watch").Groups(kapiGroup).Resources("endpoints").RuleOrDie(),
Copy link
Contributor

@deads2k deads2k Nov 1, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think you only need this one. A user can have multiple roles, so this is what you need in addition to the existing router role.

deads2k
deads2k reviewed Nov 1, 2016
View reviewed changes
pkg/cmd/server/bootstrappolicy/constants.go Outdated
MasterRoleName = "system:master"
NodeRoleName = "system:node"
NodeProxierRoleName = "system:node-proxier"
PrivilegedRouterRoleName = "system:privileged-router"
Copy link
Contributor

@deads2k deads2k Nov 1, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How many router flavors do we have? Seems like we might want to name this specifically for F5, so that if you need to "list privileged-fobbers" next, we don't need any new bindings.

@rajatchopra rajatchopra changed the title [Do not Merge] WIP: advanced router role advanced router role Nov 1, 2016
@rajatchopra
Copy link
Contributor Author

rajatchopra commented Nov 1, 2016
edited
Loading

@deads2k @smarterclayton PTAL. Will get the docs PR rolling meanwhile.

cc @knobunc

@liggitt
Copy link
Contributor

liggitt commented Nov 2, 2016
edited
Loading

Would the existing system:sdn-reader role make more sense for something that wanted to participate in SDN stuff? It grants read access to more than just nodes, but that doesn't really bother me if the semantics match ("something that needs read-only access to SDN information"), and it seems like a generic "SDN aware router" role would eventually converge on the SDN reader role anyway

@knobunc
Copy link
Contributor

knobunc commented Nov 2, 2016

I agree with @liggitt. This is what I was trying to get at yesterday afternoon on IRC before my PC crashed. I was trying to work out if it was better to grant two roles to the F5 router, than make one super-role. Personally, I like the two because it makes it clear that the F5 has extra privs.

@liggitt
Copy link
Contributor

liggitt commented Nov 2, 2016

+1 for granting system:router (for router-related perms) and system:sdn-reader (for SDN-related perms)

@deads2k
Copy link
Contributor

deads2k commented Nov 2, 2016

I agree with @liggitt. This is what I was trying to get at yesterday afternoon on IRC before my PC crashed. I was trying to work out if it was better to grant two roles to the F5 router, than make one super-role. Personally, I like the two because it makes it clear that the F5 has extra privs.

I think we've all agreed on two, we're just deciding if system:sdn-reader is the same as system:sdn-integrated-router. I would have assumed their different, but I don't have much knowledge in the domain.

@deads2k
Copy link
Contributor

deads2k commented Nov 2, 2016

I think we've all agreed on two, we're just deciding if system:sdn-reader is the same as system:sdn-integrated-router. I would have assumed their different, but I don't have much knowledge in the domain

To elaborate, I can envision a router that may want to mutate some resource. I'm hard pressed to come up with a use-case for a "reader" role having mutation privileges.

@liggitt
Copy link
Contributor

liggitt commented Nov 2, 2016

To elaborate, I can envision a router that may want to mutate some resource. I'm hard pressed to come up with a use-case for a "reader" role having mutation privileges.

Sure... we wouldn't add write permissions to the reader role. I don't know enough about how the SDN objects interact to know if subdividing write access to just some of them is valuable, or if we had a router that needed SDN write permissions, we would just grant the system:sdn-manager role to it.

@rajatchopra
Copy link
Contributor Author

rajatchopra commented Nov 2, 2016

I am tempted to kill this one and just use SDNReaderRoleName that already exists. The only thing extra over there is the egressnetworkpolicies, harmless to read I think.

@rajatchopra
Copy link
Contributor Author

rajatchopra commented Nov 4, 2016

This is what will go in for the docs then (we do not need another role here):
oadm policy add-cluster-role-to-user system:sdn-reader system:serviceaccount:default:router

@rajatchopra rajatchopra closed this Nov 4, 2016
@rajatchopra rajatchopra deleted the router_role branch November 14, 2016 05:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@deads2k deads2k deads2k left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@rajatchopra @liggitt @knobunc @deads2k