rbac-manager icon indicating copy to clipboard operation
rbac-manager copied to clipboard

Published 20 hours ago verified publisher icon FairwindsOps

Certain rolebindings seem to only sync on rbac-manager Pod reboot

Open bcha opened this issue 8 months ago • 7 comments

What happened?

I'm not quite sure what's going on, but we noticed that certain rolebindings can take quite a while, sometimes hours to appear on their namespaces. After further testing it looks like they are synced on restarts and new Pod creations. Other rolebindings appear pretty much immediately.

What did you expect to happen?

All rolebindings should be synced pretty fast to their namespaces.

How can we reproduce this?

We have setup like this. Old generic "developer" rbac which does get synced pretty much immediately:

apiVersion: rbacmanager.reactiveops.io/v1beta1
kind: RBACDefinition
metadata:
  name: developers
rbacBindings:
  - name: developer
    subjects:
      - kind: Group
        name: developers
    roleBindings:
      - clusterRole: edit
        namespaceSelector:
          matchExpressions:
            - key: kubernetes.io/metadata.name
              operator: NotIn
              values:
              - default
              - kube-system
              - kyverno
    clusterRoleBindings:
      - clusterRole: view
      - clusterRole: developer
      - clusterRole: developers-extra-permissions

And then we have these newer rbac that are like per-team, so that team-a can have more permissions to their own namespaces etc. These only seem to sync on rbac-manager restart:

apiVersion: rbacmanager.reactiveops.io/v1beta1
kind: RBACDefinition
metadata:
  name: team-asdfgh-rbac-definition
rbacBindings:
  - name: team-asdfgh
    subjects:
      - kind: Group
        name: team-asdfgh
    roleBindings:
      - clusterRole: edit
        namespaceSelector:
          matchLabels:
            app-owner: team-asdfgh
      - clusterRole: edit
        namespaceSelector:
          matchLabels:
            developers: edit
    clusterRoleBindings:
      - clusterRole: view
      - clusterRole: support
      - clusterRole: developers-extra-permissions

➜ kg rolebindings.rbac.authorization.k8s.io
NAME                        ROLE               AGE
developers-developer-edit   ClusterRole/edit   117s

➜ krrd -n rbac-manager
deployment.apps/rbac-manager restarted

➜ kg rolebindings.rbac.authorization.k8s.io
NAME                                                       ROLE               AGE
developers-developer-edit                                  ClusterRole/edit   2m14s
team-asdfgh-rbac-definition-team-asdfgh-edit               ClusterRole/edit   6s

Could the issue somehow be related to matchLabels usage? Logs aren't really helping, there's nothing relevant.

Version

rbac-manager latest helm-chart 1.20, so the app version is v1.8.0 We're running this on eks with k8s version 1.29

Search

  • [X] I did search for other open and closed issues before opening this.

Code of Conduct

  • [X] I agree to follow this project's Code of Conduct

Additional context

No response

bcha avatar Jun 27 '24 04:06 bcha