https://flyte.org logo
Powered by
#ask-the-community
Title
# ask-the-community
b

Byron Hsu

12/20/2022, 9:58 PM
HI team, we are looking at the rbac.yaml file for propeller. There is one rule confusing to us. It seems that it allows most verbs from all resources and all apiGroups, which might overwrite other rules.
Copy code
# Allow Access All plugin objects
- apiGroups:
  - '*'
  resources:
  - '*'
  verbs:
  - get
  - list
  - watch
  - create
  - update
  - delete
  - patch
Please help take a look. Thanks! @Yubo Wang
y

Yee

12/20/2022, 10:35 PM
i might be wrong but iirc that’s just there because some people might choose to replace it, and specify each plugin’s resource separately.
like give it access to spark, ray, otherplugin, etc.
b

Byron Hsu

12/20/2022, 10:36 PM
That makes sense
Thanks
y

Yee

12/20/2022, 10:36 PM
and in that case, that block can go, but it still needs the other sections in that yaml file, like the abilities on flyteworkflows crd etc
y

Yubo Wang

12/21/2022, 12:01 AM
@Yee Another question: Does flyteadmin need * verbs for the following:
Copy code
- apiGroups:
  - ""
  - <http://flyte.lyft.com|flyte.lyft.com>
  - <http://rbac.authorization.k8s.io|rbac.authorization.k8s.io>
  resources:
  - configmaps
  - flyteworkflows
  - namespaces
  - pods
  - resourcequotas
  - roles
  - rolebindings
  - secrets
  - services
  - serviceaccounts
  - spark-role
  verbs:
  - '*'
I don’t recall that admin needs that much power?🤔
y

Yee

12/21/2022, 12:26 AM
probably not.
delete it doesn’t
since it doesn’t really do delete.
this isn’t really for admin btw. this is for the cluster resource controller that runs as part of admin.
(well it runs in a separate container, but it’s in the flyteadmin github repo)
this is the binary that for example, when someone creates a 
newproject
will go in and create 
newproject-development/staging/production
namespaces across all the clusters
and like create the appropriate image pull secret if necessary
and service accounts
etc.
so given its role as a “cluster manager”, it naturally needs elevated permissions.
definitely possible to turn this off, and provision the cluster yourself, but it does get tedious so you probably want some tooling anyways.
y

Yubo Wang

12/21/2022, 1:44 AM
@Yee ah that is awesome. Thanks for the detailed explanation. We will turn it off for now since we are building a MVP that will only provision to a single pre-exist namespace.
y

Yee

12/21/2022, 1:56 AM
it’s also possible to change how the namespacing construct works
it’s just a template
also k8s perms error logging is pretty precise, so it’s easy to close things down first and open up as you need to.
y

Yubo Wang

12/21/2022, 8:03 AM
yeah, we did the override, we set it to be a specific namespace that preexists
k

Ketan (kumare3)

12/21/2022, 7:10 PM
awesome
4 Views
Powered by