-
Notifications
You must be signed in to change notification settings - Fork 907
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
minimize the rbac permissions for karmada-operator #5586
Conversation
Codecov ReportAll modified and coverable lines are covered by tests ✅
❗ Your organization needs to install the Codecov GitHub app to enable full functionality. Additional details and impacted files@@ Coverage Diff @@
## master #5586 +/- ##
==========================================
- Coverage 40.53% 40.53% -0.01%
==========================================
Files 650 650
Lines 55184 55184
==========================================
- Hits 22369 22367 -2
- Misses 31383 31385 +2
Partials 1432 1432
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
/cc @zhzhuang-zju |
/assign |
@B1F030 I see that you have broken down the RBAC permissions for component karmada-operator, which is a good idea. Have you validated this locally? If so, could you tell me how you conducted the validation? |
@B1F030 The |
During my review, I found a method for local verification; you might also want to give it a try.
$ export KUBECONFIG=~/.kube/xxxx.config
$ kubectl config use-context xxx
# charts/karmada-operator/templates/karmada-operator-deployment.yaml
- --v=4
$ helm install karmada-operator -n karmada-system --create-namespace --dependency-update ./charts/karmada-operator --set operator.image.tag=latest --debug
$ kubectl get clusterrole
NAME
karmada-operator
$ kubectl get sa
karmada-operator
$ kubectl get clusterrolebinding
karmada-operator
$ kubectl get clusterrole karmada-operator --namespace karmada-system -oyaml > karmada-operator.yaml
$ vi karmada-operator.yaml
$ kubectl apply -f karmada-operator.yaml # karmada-operator.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
meta.helm.sh/release-name: karmada-operator
meta.helm.sh/release-namespace: karmada-system
labels:
app.kubernetes.io/instance: karmada-operator
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: karmada-operator
helm.sh/chart: karmada-operator-0.0.1
name: karmada-operator
rules:
- apiGroups:
- coordination.k8s.io
resources:
- leases # karmada-operator needs to use the Leases resource for leader election.
verbs:
- get
- create
- update
$ kubectl rollout restart deployment/karmada-operator -nkarmada-system
|
82828f1
to
d631fd9
Compare
charts/karmada-operator/templates/karmada-operator-clusterrole.yaml
Outdated
Show resolved
Hide resolved
@B1F030 I am using the RBAC you set up to install the karmada/operator/pkg/tasks/init/etcd.go Line 94 in e117edc
The karmada-operator still requires RBAC permissions for the pod resource to check if the pods are ready.
|
f8057dd
to
31ae4cf
Compare
@B1F030 Could you please squash the commits? |
e0ed0b1
to
c763bce
Compare
@RainbowMango Done. |
/lgtm |
charts/karmada-operator/templates/karmada-operator-clusterrole.yaml
Outdated
Show resolved
Hide resolved
@B1F030 others LGTM Using the one-click installation script provided by #5519 to install Karmada, the result is as follows:
Passed the basic e2e tests $ ./run-e2e-local.sh "[BasicPropagation] propagation testing deployment propagation testing"
Ran 3 of 239 Specs in 36.530 seconds
SUCCESS! -- 3 Passed | 0 Failed | 0 Pending | 236 Skipped
$ ./run-e2e-local.sh "priorityMatchName/priorityMatchLabel/priorityMatchAll propagation testing"
Ran 1 of 239 Specs in 177.398 seconds
SUCCESS! -- 1 Passed | 0 Failed | 0 Pending | 238 Skipped
Ginkgo ran 1 suite in 3m32.078400677s
Test Suite Passed
|
c763bce
to
42ba368
Compare
Signed-off-by: B1F030 <[email protected]>
42ba368
to
8b6d4c4
Compare
/lgtm |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/approve
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: RainbowMango The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
What type of PR is this?
/kind feature
What this PR does / why we need it:
Which issue(s) this PR fixes:
Part of #5182
Special notes for your reviewer:
Does this PR introduce a user-facing change?: