HI team, we are looking at the <rbac.yaml> file fo...
# ask-the-community
b
HI team, we are looking at the rbac.yaml file for propeller. There is one rule confusing to us. It seems that it allows most verbs from all resources and all apiGroups, which might overwrite other rules.
Copy code
# Allow Access All plugin objects
- apiGroups:
  - '*'
  resources:
  - '*'
  verbs:
  - get
  - list
  - watch
  - create
  - update
  - delete
  - patch
Please help take a look. Thanks! @Yubo Wang
y
i might be wrong but iirc that’s just there because some people might choose to replace it, and specify each plugin’s resource separately.
like give it access to spark, ray, otherplugin, etc.
b
That makes sense
Thanks
y
and in that case, that block can go, but it still needs the other sections in that yaml file, like the abilities on flyteworkflows crd etc
y
@Yee Another question: Does flyteadmin need * verbs for the following:
Copy code
- apiGroups:
  - ""
  - <http://flyte.lyft.com|flyte.lyft.com>
  - <http://rbac.authorization.k8s.io|rbac.authorization.k8s.io>
  resources:
  - configmaps
  - flyteworkflows
  - namespaces
  - pods
  - resourcequotas
  - roles
  - rolebindings
  - secrets
  - services
  - serviceaccounts
  - spark-role
  verbs:
  - '*'
I don’t recall that admin needs that much power?🤔
y
probably not.
delete it doesn’t
since it doesn’t really do delete.
this isn’t really for admin btw. this is for the cluster resource controller that runs as part of admin.
(well it runs in a separate container, but it’s in the flyteadmin github repo)
this is the binary that for example, when someone creates a
newproject
will go in and create
newproject-development/staging/production
namespaces across all the clusters
and like create the appropriate image pull secret if necessary
and service accounts
etc.
so given its role as a “cluster manager”, it naturally needs elevated permissions.
definitely possible to turn this off, and provision the cluster yourself, but it does get tedious so you probably want some tooling anyways.
y
@Yee ah that is awesome. Thanks for the detailed explanation. We will turn it off for now since we are building a MVP that will only provision to a single pre-exist namespace.
y
it’s also possible to change how the namespacing construct works
it’s just a template
also k8s perms error logging is pretty precise, so it’s easy to close things down first and open up as you need to.
y
yeah, we did the override, we set it to be a specific namespace that preexists
k
awesome
102 Views