|
| 1 | +## Synthetic User Permissions |
| 2 | + |
| 3 | +!!! note |
| 4 | +This feature is still in *alpha* the `SyntheticPermissions` feature-gate must be enabled to make use of it. |
| 5 | +See the instructions below on how to enable it. |
| 6 | + |
| 7 | +Synthetic user permissions enables fine-grained configuration of ClusterExtension management client RBAC permissions. |
| 8 | +User can not only configure RBAC permissions governing the management across all ClusterExtensions, but also on a |
| 9 | +case-by-case basis. |
| 10 | + |
| 11 | +### Update OLM to enable Feature |
| 12 | + |
| 13 | +```terminal title=Enable SyntheticPermissions feature |
| 14 | +kubectl kustomize config/overlays/featuregate/synthetic-user-permissions | kubectl apply -f - |
| 15 | +``` |
| 16 | + |
| 17 | +```terminal title=Wait for rollout to complete |
| 18 | +kubectl rollout status -n olmv1-system deployment/operator-controller-controller-manager |
| 19 | +``` |
| 20 | + |
| 21 | +### How does it work? |
| 22 | + |
| 23 | +When managing a ClusterExtension, OLM will assume the identity of user "olm:clusterextensions:<clusterextension-name>" |
| 24 | +and group "olm:clusterextensions" limiting Kubernetes API access scope to those defined for this user and group. These |
| 25 | +users and group do not exist beyond being defined in Cluster/RoleBinding(s) and can only be impersonated by clients with |
| 26 | + `impersonate` verb permissions on the `users` and `groups` resources. |
| 27 | + |
| 28 | +### Demo |
| 29 | + |
| 30 | +[](https://asciinema.org/a/Jbtt8nkV8Dm7vriHxq7sxiVvi) |
| 31 | + |
| 32 | +#### Examples: |
| 33 | + |
| 34 | +##### ClusterExtension management as cluster-admin |
| 35 | + |
| 36 | +To enable ClusterExtensions management as cluster-admin, bind the `cluster-admin` cluster role to the `olm:clusterextensions` |
| 37 | +group: |
| 38 | + |
| 39 | +``` |
| 40 | +apiVersion: rbac.authorization.k8s.io/v1 |
| 41 | +kind: ClusterRoleBinding |
| 42 | +metadata: |
| 43 | + name: clusterextensions-group-admin-binding |
| 44 | +roleRef: |
| 45 | + apiGroup: rbac.authorization.k8s.io |
| 46 | + kind: ClusterRole |
| 47 | + name: cluster-admin |
| 48 | +subjects: |
| 49 | +- kind: Group |
| 50 | + name: "olm:clusterextensions" |
| 51 | +``` |
| 52 | + |
| 53 | +##### Scoped olm:clusterextension group + Added perms on specific extensions |
| 54 | + |
| 55 | +Give ClusterExtension management group broad permissions to manage ClusterExtensions denying potentially dangerous |
| 56 | +permissions such as being able to read cluster wide secrets: |
| 57 | + |
| 58 | +``` |
| 59 | +apiVersion: rbac.authorization.k8s.io/v1 |
| 60 | +kind: ClusterRole |
| 61 | +metadata: |
| 62 | + name: clusterextension-installer |
| 63 | +rules: |
| 64 | + - apiGroups: [ olm.operatorframework.io ] |
| 65 | + resources: [ clusterextensions/finalizers ] |
| 66 | + verbs: [ update ] |
| 67 | + - apiGroups: [ apiextensions.k8s.io ] |
| 68 | + resources: [ customresourcedefinitions ] |
| 69 | + verbs: [ create, list, watch, get, update, patch, delete ] |
| 70 | + - apiGroups: [ rbac.authorization.k8s.io ] |
| 71 | + resources: [ clusterroles, roles, clusterrolebindings, rolebindings ] |
| 72 | + verbs: [ create, list, watch, get, update, patch, delete ] |
| 73 | + - apiGroups: [""] |
| 74 | + resources: [configmaps, endpoints, events, pods, pod/logs, serviceaccounts, services, services/finalizers, namespaces, persistentvolumeclaims] |
| 75 | + verbs: ['*'] |
| 76 | + - apiGroups: [apps] |
| 77 | + resources: [ '*' ] |
| 78 | + verbs: ['*'] |
| 79 | + - apiGroups: [ batch ] |
| 80 | + resources: [ '*' ] |
| 81 | + verbs: [ '*' ] |
| 82 | + - apiGroups: [ networking.k8s.io ] |
| 83 | + resources: [ '*' ] |
| 84 | + verbs: [ '*' ] |
| 85 | + - apiGroups: [authentication.k8s.io] |
| 86 | + resources: [tokenreviews, subjectaccessreviews] |
| 87 | + verbs: [create] |
| 88 | +``` |
| 89 | + |
| 90 | +``` |
| 91 | +apiVersion: rbac.authorization.k8s.io/v1 |
| 92 | +kind: ClusterRoleBinding |
| 93 | +metadata: |
| 94 | + name: clusterextension-installer-binding |
| 95 | +roleRef: |
| 96 | + apiGroup: rbac.authorization.k8s.io |
| 97 | + kind: ClusterRole |
| 98 | + name: clusterextension-installer |
| 99 | +subjects: |
| 100 | +- kind: Group |
| 101 | + name: "olm:clusterextensions" |
| 102 | +``` |
| 103 | + |
| 104 | +Give a specific ClusterExtension secrets access, maybe even on specific namespaces: |
| 105 | + |
| 106 | +``` |
| 107 | +apiVersion: rbac.authorization.k8s.io/v1 |
| 108 | +kind: ClusterRole |
| 109 | +metadata: |
| 110 | + name: clusterextension-privileged |
| 111 | +rules: |
| 112 | +- apiGroups: [""] |
| 113 | + resources: [secrets] |
| 114 | + verbs: ['*'] |
| 115 | +``` |
| 116 | + |
| 117 | +``` |
| 118 | +apiVersion: rbac.authorization.k8s.io/v1 |
| 119 | +kind: RoleBinding |
| 120 | +metadata: |
| 121 | + name: clusterextension-privileged-binding |
| 122 | + namespace: <some namespace> |
| 123 | +roleRef: |
| 124 | + apiGroup: rbac.authorization.k8s.io |
| 125 | + kind: ClusterRole |
| 126 | + name: clusterextension-privileged |
| 127 | +subjects: |
| 128 | +- kind: User |
| 129 | + name: "olm:clusterextensions:argocd-operator" |
| 130 | +``` |
| 131 | + |
| 132 | +Note: In this example the ClusterExtension user (or group) will still need to be updated to be able to manage |
| 133 | +the CRs coming from the argocd operator. Some look ahead and RBAC permission wrangling will still be required. |
0 commit comments