Replies: 6 comments 3 replies
-
No, you cannot get Strimzi working by giving only the get and list rights. How do you expect it to manage resources? |
Beta Was this translation helpful? Give feedback.
-
Hi Jakub ,
Thanks for the quick reply.
If the resources to be managed are on a namespace level then this is fine from the operator side. This a cluster on a private cloud and a multi tenancy and the principle least privileges from the customer side is expected.
All strimzi is managing are related to resources within the namespaces and nothing related to cluster level? May be I am missing something..
I have changed the cluster level roles to namespaced roles and brought the strimzi operator and even the kafka cluster , but I have the topic operator which is getting stuck to be installed and its failing only because its using the deprecated verbs.
$> kubectl get pods -n odf
NAME READY STATUS RESTARTS AGE
odf-cluster-kafka-0 1/1 Running 0 5h44m
odf-cluster-kafka-1 1/1 Running 0 5h44m
odf-cluster-kafka-2 1/1 Running 0 5h44m
odf-cluster-schema-registry-6d758cc4c4-7hnkm 1/2 CrashLoopBackOff 71 (111s ago) 5h45m
odf-cluster-schema-registry-6d758cc4c4-gd6z2 1/2 CrashLoopBackOff 71 (75s ago) 5h45m
odf-cluster-zookeeper-0 1/1 Running 0 5h44m
odf-cluster-zookeeper-1 1/1 Running 0 5h44m
odf-cluster-zookeeper-2 1/1 Running 0 5h44m
strimzi-cluster-operator-66dfb8898c-sgkf9 1/1 Running 0 6h8m
Ignore the crashloop back off but its due to recreation of secret and that will come through eventually. Issue is in the kafka cluster creation for the topic operator.
Thanks,
Rajesh.
From: Jakub Scholz ***@***.***>
Sent: 07 November 2023 16:42
To: strimzi/strimzi-kafka-operator ***@***.***>
Cc: Rajesh Kalaiselvan ***@***.***>; Author ***@***.***>
Subject: Re: [strimzi/strimzi-kafka-operator] Strimzi operator - does it need cluster level role mandatory ? and deprecated verbs (Discussion #9333)
CAUTION: This email is from an external source. Please don't open any unknown links or attachments.
No, you cannot get Strimzi working by giving only the get and list rights. How do you expect it to manage resources?
-
Reply to this email directly, view it on GitHub<#9333 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AXX5TOO7R7QZLN63D22DSFTYDJQEVAVCNFSM6AAAAAA7BPL2W6VHI2DSMVQWIX3LMV43SRDJONRXK43TNFXW4Q3PNVWWK3TUHM3TKMBRGIYDG>.
You are receiving this because you authored the thread.Message ID: ***@***.******@***.***>>
This email and the information contained herein is proprietary and confidential and subject to the Amdocs Email Terms of Service, which you may review at https://www.amdocs.com/about/email-terms-of-service <https://www.amdocs.com/about/email-terms-of-service>
|
Beta Was this translation helpful? Give feedback.
-
Hi Jakub,
I tried to install the CRDs provided part of the strimzi chart and then started creating the strimzi-cluster-operator cluster role as specified in the chart ,but the cluster does not have the support for the kafkatopic/status verbs which I had an error indicating that the verbs supported are only get,patch and update. When I ran the rbac-tool output as well I only got the below supported verbs from the api server. If you could see below the apigroup resources - kafkatopics supports all verbs while status only supports very restricted verbs from kube api point of view. Operator here has a very stricter rule that the verbs which are not supported by kube api - are not allowed to create a role or a cluster role.
alcideio/rbac-tool: Rapid7 | insightCloudSec | Kubernetes RBAC Power Toys - Visualize, Analyze, Generate & Query (github.com)<https://github.com/alcideio/rbac-tool>
This tool provides the api verbs supported in kube.
Output -partial.
- apiGroups:
- kafka.strimzi.io
resources:
- kafkamirrormaker2s/scale
verbs:
- get
- patch
- update
- apiGroups:
- kafka.strimzi.io
resources:
- kafkatopics
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- kafka.strimzi.io
resources:
- kafkatopics/status
verbs:
- get
- patch
- update
- apiGroups:
- kafka.strimzi.io
resources:
- kafkaconnectors
I will need to check with the customer on this side to check further , but can you please check and confirm that the verbs are intact from your side for status?
Thanks,
Rajesh.
From: Jakub Scholz ***@***.***>
Sent: 07 November 2023 21:22
To: strimzi/strimzi-kafka-operator ***@***.***>
Cc: Rajesh Kalaiselvan ***@***.***>; Author ***@***.***>
Subject: Re: [strimzi/strimzi-kafka-operator] Strimzi operator - does it need cluster level role mandatory ? and deprecated verbs (Discussion #9333)
CAUTION: This email is from an external source. Please don't open any unknown links or attachments.
Well, that is because you took the rights away from. There is nothing wrong with ClusterRoles, you have to keep them as they are. The ClusterRoles on their own do not give any access hat so ever to anyone. It is the RoleBinding / ClusterRoleBinding that gives the rights. So if you want to limit the operator to a particular namespace, you should not mess with the ClusterRoles but use RoleBindings and not ClusterRoleBindings. That should get the basic cluster working.
But keep in mind that Strimzi is not asking for the rights it asks for just for fun. It asks for them because they are required. So for example, if you change the ClusterRoleBindings to RoleBindings only, you will not be able to use some features (some of them important for production readiness) such as rack awareness or node port listeners. So while that should get some simpler clusters working, it still has some limitations given by the Kubernetes RBAC design.
-
Reply to this email directly, view it on GitHub<#9333 (reply in thread)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AXX5TOJMZDCI6YCIGKQ7XBDYDKQ7VAVCNFSM6AAAAAA7BPL2W6VHI2DSMVQWIX3LMV43SRDJONRXK43TNFXW4Q3PNVWWK3TUHM3TKMBTGU2TA>.
You are receiving this because you authored the thread.Message ID: ***@***.******@***.***>>
This email and the information contained herein is proprietary and confidential and subject to the Amdocs Email Terms of Service, which you may review at https://www.amdocs.com/about/email-terms-of-service <https://www.amdocs.com/about/email-terms-of-service>
|
Beta Was this translation helpful? Give feedback.
-
Thanks will keep you posted if I have any finding from my side too.
From: Jakub Scholz ***@***.***>
Sent: 07 November 2023 21:50
To: strimzi/strimzi-kafka-operator ***@***.***>
Cc: Rajesh Kalaiselvan ***@***.***>; Author ***@***.***>
Subject: Re: [strimzi/strimzi-kafka-operator] Strimzi operator - does it need cluster level role mandatory ? and deprecated verbs (Discussion #9333)
CAUTION: This email is from an external source. Please don't open any unknown links or attachments.
That might be something to look into. But I'm not aware of anyone else having a problem with it. So that seems to be your local issue.
-
Reply to this email directly, view it on GitHub<#9333 (reply in thread)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AXX5TOIQEH7UX4DBQG73WCTYDKUKJAVCNFSM6AAAAAA7BPL2W6VHI2DSMVQWIX3LMV43SRDJONRXK43TNFXW4Q3PNVWWK3TUHM3TKMBTG42DM>.
You are receiving this because you authored the thread.Message ID: ***@***.******@***.***>>
This email and the information contained herein is proprietary and confidential and subject to the Amdocs Email Terms of Service, which you may review at https://www.amdocs.com/about/email-terms-of-service <https://www.amdocs.com/about/email-terms-of-service>
|
Beta Was this translation helpful? Give feedback.
-
Thanks Jakub for this feedback.
One of the reasoning that our customer is looking for the need for cluster roles for Strimzi operator. Can you please point to any document as to why we need to cluster role with the write access verbs?
Do you have such a level of documentation that can be provided? This is to get help assistance with the security exception to be included?
Thanks,
Rajesh.
From: Jakub Scholz ***@***.***>
Sent: 07 November 2023 21:50
To: strimzi/strimzi-kafka-operator ***@***.***>
Cc: Rajesh Kalaiselvan ***@***.***>; Author ***@***.***>
Subject: Re: [strimzi/strimzi-kafka-operator] Strimzi operator - does it need cluster level role mandatory ? and deprecated verbs (Discussion #9333)
CAUTION: This email is from an external source. Please don't open any unknown links or attachments.
That might be something to look into. But I'm not aware of anyone else having a problem with it. So that seems to be your local issue.
-
Reply to this email directly, view it on GitHub<#9333 (reply in thread)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AXX5TOIQEH7UX4DBQG73WCTYDKUKJAVCNFSM6AAAAAA7BPL2W6VHI2DSMVQWIX3LMV43SRDJONRXK43TNFXW4Q3PNVWWK3TUHM3TKMBTG42DM>.
You are receiving this because you authored the thread.Message ID: ***@***.******@***.***>>
This email and the information contained herein is proprietary and confidential and subject to the Amdocs Email Terms of Service, which you may review at https://www.amdocs.com/about/email-terms-of-service <https://www.amdocs.com/about/email-terms-of-service>
|
Beta Was this translation helpful? Give feedback.
-
@rajeshkal FYI: I opened a PR #9403 to clean-up the RBAC grants for the status subresources you raised here. Feel free to give it a try and let me know if you get some more warnings. Thanks |
Beta Was this translation helpful? Give feedback.
-
We are trying to install strimzi - version 0.32.0 and the customer does not allow to use the cluster role with write verbs , so all cluster role should be only read verbs ONLY allowed. Can the strimzi have any configuration to have only namespace level scope only for all the roles created? we are installing in kubernetes version 1.25.
Additionally the strimzi roles created for the strimzi operator uses some of the RBAC roles which have deprecated verbs associated, kafkatopics/status - can only support get/patch and update verbs when checking on the kube-api for 1.25 , but the roles are created with all verbs?
. the image is an output of the kubectl describe kafka -n odf.
Is there a possiblity to move from cluster level roles to namespaced level roles and run kafka cluster?
Beta Was this translation helpful? Give feedback.
All reactions