HI team, we are looking at the <rbac.yaml> file fo...
# flyte-supportp
polite-ability-4005
12/20/2022, 9:58 PMHI team, we are looking at the rbac.yaml file for propeller. There is one rule confusing to us. It seems that it allows most verbs from all resources and all apiGroups, which might overwrite other rules.
Copy code
# Allow Access All plugin objects
- apiGroups:
- '*'
resources:
- '*'
verbs:
- get
- list
- watch
- create
- update
- delete
- patch🔥 2
t
thankful-minister-83577
12/20/2022, 10:35 PM
i might be wrong but iirc that’s just there because some people might choose to replace it, and specify each plugin’s resource separately.
thankful-minister-83577
12/20/2022, 10:36 PM
like give it access to spark, ray, otherplugin, etc.
p
polite-ability-4005
12/20/2022, 10:36 PMThat makes sense
polite-ability-4005
12/20/2022, 10:36 PMThanks
t
thankful-minister-83577
12/20/2022, 10:36 PM
and in that case, that block can go, but it still needs the other sections in that yaml file, like the abilities on flyteworkflows crd etc
đź’Ż 2
l
limited-raincoat-94253
12/21/2022, 12:01 AM@thankful-minister-83577 Another question: Does flyteadmin need * verbs for the following:
Copy code
- apiGroups:
- ""
- <http://flyte.lyft.com|flyte.lyft.com>
- <http://rbac.authorization.k8s.io|rbac.authorization.k8s.io>
resources:
- configmaps
- flyteworkflows
- namespaces
- pods
- resourcequotas
- roles
- rolebindings
- secrets
- services
- serviceaccounts
- spark-role
verbs:
- '*'t
thankful-minister-83577
12/21/2022, 12:26 AM
probably not.
thankful-minister-83577
12/21/2022, 12:26 AM
delete it doesn’t
thankful-minister-83577
12/21/2022, 12:26 AM
since it doesn’t really do delete.
thankful-minister-83577
12/21/2022, 12:26 AM
this isn’t really for admin btw. this is for the cluster resource controller that runs as part of admin.
thankful-minister-83577
12/21/2022, 12:27 AM
(well it runs in a separate container, but it’s in the flyteadmin github repo)
thankful-minister-83577
12/21/2022, 12:28 AM
this is the binary that for example, when someone creates a
newprojectnewproject-development/staging/productionthankful-minister-83577
12/21/2022, 12:28 AM
and like create the appropriate image pull secret if necessary
thankful-minister-83577
12/21/2022, 12:29 AM
and service accounts
thankful-minister-83577
12/21/2022, 12:29 AM
etc.
thankful-minister-83577
12/21/2022, 12:29 AM
so given its role as a “cluster manager”, it naturally needs elevated permissions.
thankful-minister-83577
12/21/2022, 12:30 AM
definitely possible to turn this off, and provision the cluster yourself, but it does get tedious so you probably want some tooling anyways.
l
limited-raincoat-94253
12/21/2022, 1:44 AM@thankful-minister-83577 ah that is awesome. Thanks for the detailed explanation. We will turn it off for now since we are building a MVP that will only provision to a single pre-exist namespace.
t
thankful-minister-83577
12/21/2022, 1:56 AM
it’s also possible to change how the namespacing construct works
thankful-minister-83577
12/21/2022, 1:56 AM
it’s just a template
thankful-minister-83577
12/21/2022, 1:56 AM
thankful-minister-83577
12/21/2022, 1:57 AM
also k8s perms error logging is pretty precise, so it’s easy to close things down first and open up as you need to.
đź‘Ť 1
l
limited-raincoat-94253
12/21/2022, 8:03 AMyeah, we did the override, we set it to be a specific namespace that preexists
f
freezing-airport-6809
12/21/2022, 7:10 PM
awesome
160 Views