Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add aggregated ClusterRole to manage namespaced resources #1399

Merged
merged 14 commits into from
Jul 31, 2023
Merged

add aggregated ClusterRole to manage namespaced resources #1399

merged 14 commits into from
Jul 31, 2023

Conversation

eumel8
Copy link
Collaborator

@eumel8 eumel8 commented Jul 26, 2023

fixes #1398

@pepov
Copy link
Member

pepov commented Jul 27, 2023
edited
Loading

Thanks for the proposal and for the implementation! However I would like to separate these clusterroles based on the following resources:

  • host tailer
  • flows & outputs + syslogngflows & outputs
  • clusterflows & outputs + syslogngclusterflows & outputs

I'm not sure about the eventtailer, since that is something to be installed once into a logging system, not something to manage by individual users.

Also I would create a viewer role, that doesn't have to be split by resources, just grant view privileges to all the above logging resources for users.

I'm still a bit sceptical that we can provide clusterroles that are useful for most users/use cases, but at least we can provide an example implementation.

@eumel8
Copy link
Collaborator Author

eumel8 commented Jul 27, 2023

@pepov Rancher has this implementation also for read-only/view access.
Aggregation is a common RBAC feature in Kubernetes and useful not only in context with Rancher projects. An extra value flag under the rbac section of the chart is also possible. At the moment normal user haven't access to Flow and Output resources.

pepov
pepov reviewed Jul 27, 2023
View reviewed changes
Copy link
Member

@pepov pepov left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would either name the clusterrole as "-edit" and add aggregator label for editor as well as in these examples:

Or if we want to follow the rancher example then use the suffix '-admin' instead of user.

charts/logging-operator/templates/userrole.yaml Outdated Show resolved Hide resolved
charts/logging-operator/templates/userrole.yaml Show resolved Hide resolved
aslafy-z and others added 13 commits July 31, 2023 16:21
@aslafy-z @eumel8
helm: fix fluentd reference (kube-logging#1396)
583ebb2 
Signed-off-by: Zadkiel Aharonian <[email protected]>
Signed-off-by: Frank Kloeker <[email protected]>
@eumel8
add aggregated ClusterRole to manage namespaced resources
6aa2034 
Signed-off-by: Frank Kloeker <[email protected]>
@eumel8
add deletecollection verb
f41c95a 
Signed-off-by: Frank Kloeker <[email protected]>
@pepov @eumel8
chore: deprecation notice for non-unique loggingRef (kube-logging#1391)
70aae87 
add notice to logging status when there are multiple logging resources with the same ref

Signed-off-by: Peter Wilcsinszky <[email protected]>
Signed-off-by: Frank Kloeker <[email protected]>
@eumel8
fix status writes
6fac004 
Signed-off-by: Frank Kloeker <[email protected]>
@eumel8
remove eventtailer user rbac
4320077 
Signed-off-by: Frank Kloeker <[email protected]>
@eumel8 @pepov
rename clusterrole for user
41c18f9 
Co-authored-by: Peter Wilcsinszky <[email protected]>
Signed-off-by: Frank Kloeker <[email protected]>
@eumel8 @pepov
extend user role to edit
0b88845 
Co-authored-by: Peter Wilcsinszky <[email protected]>
Signed-off-by: Frank Kloeker <[email protected]>
@eumel8
remove extra status permissions
721ded2 
Signed-off-by: Frank Kloeker <[email protected]>
@eumel8 @pepov
add example to use monitoring (kube-logging#1401)
6b718c9 
Signed-off-by: Frank Kloeker <[email protected]>
Co-authored-by: Peter Wilcsinszky <[email protected]>
Signed-off-by: Frank Kloeker <[email protected]>
@aslafy-z @eumel8
fix(helm): inject loggingRef into FluentbitAgent (kube-logging#1397)
779a1cc 
Signed-off-by: Zadkiel Aharonian <[email protected]>
Signed-off-by: Frank Kloeker <[email protected]>
@pepov @eumel8
fix: lookup actual cluster output namespace, validate and bail out if…
aa260bc 
… invalid

Signed-off-by: Peter Wilcsinszky <[email protected]>
Signed-off-by: Frank Kloeker <[email protected]>
@pepov @eumel8
fix: make cluster.local domain configurable for fluentbit in syslog-n…
1b37112 
…g aggregator mode as well

Signed-off-by: Peter Wilcsinszky <[email protected]>
Signed-off-by: Frank Kloeker <[email protected]>
@pepov pepov merged commit 5a8e76e into kube-logging:master Jul 31, 2023
10 checks passed
@eumel8 eumel8 deleted the feat/userroles branch August 1, 2023 06:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aslafy-z aslafy-z aslafy-z left review comments

@pepov pepov pepov approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

user roles for namespaced resources are missing in logging-operator helm chart
3 participants
@eumel8 @pepov @aslafy-z