goldilocks icon indicating copy to clipboard operation
goldilocks copied to clipboard

Published 20 hours ago verified publisher icon FairwindsOps

Controller is listing jobs but it lacks permissions

Open luisyonaldo opened this issue 3 years ago • 2 comments

Hi, we are currently using goldilocks to manage VPA on our clusters. We use OPA as our authorization webhook and we see that goldilocks-controller is trying to list jobs in namespaces but it lacks the permission.

Here is an example of the SubjectAccessReview.

{
  "metadata": {},
  "spec": {
    "groups": [
      "system:serviceaccounts",
      "system:serviceaccounts:goldilocks",
      "system:authenticated"
    ],
    "resourceAttributes": {
      "namespace": "<redacted>",
      "resource": "jobs",
      "verb": "list",
      "group": "batch",
      "version": "v1"
    },
    "user": "system:serviceaccount:goldilocks:goldilocks-controller",
    "uid": "<redacted>"
  },
  "apiVersion": "authorization.k8s.io/v1",
  "status": {
    "allowed": false
  },
  "kind": "SubjectAccessReview"
}

I looked in the code and couldn't find any place where jobs are explicitly queried. So either I missed it or the k8s client has some logic that lists.watch jobs when listing/watching pods.

If the controller is expected to list the jobs, then this permission should be added to the controller clusterrole, if not, then it would be nice to know why it is making this type of request.

Let me know if I can help, thanks.

luisyonaldo avatar Jun 29 '22 13:06 luisyonaldo

So, this is a side effect of how we lookup any top-level controller without having to maintain separate code. We look at pods, and then find their top-level controller.

It is likely that jobs should be included in the clusterrole, but I haven't actually tested if VPA and jobs play nicely together. Would be happy to facilitate someone testing out that functionality and make PRs to cover those controller types

sudermanjr avatar Jun 29 '22 16:06 sudermanjr

@sudermanjr thanks for the explanation.

It is likely that jobs should be included in the clusterrole, but I haven't actually tested if VPA and jobs play nicely together. Would be happy to facilitate someone testing out that functionality and make PRs to cover those controller types

That sounds good, I can also help to test if needed.

luisyonaldo avatar Jun 30 '22 06:06 luisyonaldo

My light testing with jobs seems to suggest that since there are not always job pods running, the VPA doesn't seem play too nicely with them.

sudermanjr avatar Sep 02 '22 13:09 sudermanjr