crossplane
Remove the `All` RBAC manager mode
What problem are you facing?
The RBAC manager has two modes, All and Basic. Historically All was the default mode, but we switched it to Basic in v1.13. You can read more about the modes and why we made the change in https://github.com/crossplane/crossplane/issues/4043.
Quoting that issue:
To be quite honest, this feature was designed in support of Upbound's SaaS authorization model and I regret allowing it to leak into Crossplane. I doubt anyone needs, uses, or even knows about the functionality that
Allmode enables and I don't think it should be the default mode of operation for the RBAC manager.
I've confirmed that Upbound isn't using this mode anymore either. It's likely no-one is.
How could Crossplane help solve your problem?
Assuming no-one is using this mode I think we should remove it. This would effectively mean removing the RBAC namespace controller: https://github.com/crossplane/crossplane/tree/24ed5ad3/internal/controller/rbac/namespace
If you're looking at this issue because you're trying to use the --manage flag and being told to use --deprecated-manage instead please let us know. We think that no-one uses this flag, but want to confirm that.
If you're using --manage=Basic you can just stop setting the flag. We made Basic the default mode in https://github.com/crossplane/crossplane/issues/4043.
If you do need to use --deprecated-manage=All you may need to manually create the RBAC ClusterRoles the Helm chart used to create. You can see the deleted ClusterRole templates in https://github.com/crossplane/crossplane/pull/5373.
I just came to know that this is happening. I don't quite understand what is going on and what is the intention, and I am failing to find any other mechanism that would let us control who can use which claims. Obviously, allowing everyone to use all claims in a multi tenant cluster is not safe. Can someone clarify please what am I missing?
I don't quite understand what is going on and what is the intention.
@dee-kryvenko the intention was to remove a feature that we had reason to believe no-one wanted or used. Specifically, to remove the --manage=All mode of the RBAC manager. https://github.com/crossplane/crossplane/issues/4043 details specifically what that mode does.
I am failing to find any other mechanism that would let us control who can use which claims. Obviously, allowing everyone to use all claims in a multi tenant cluster is not safe. Can someone clarify please what am I missing?
No-one is proposing allowing everyone to use all claims. Instead of creating role bindings for the opinionated RBAC roles Crossplane creates (crossplane-edit etc) you would create and bind your own RBAC roles to allow folks access to claims. I believe this is what most Crossplane users do.
So with --manage=All the flow is:
- Annotate each namespace with each type of claim you want to use in that namespace.
- Create RoleBindings in those namespaces to bind the generated, opinionated RBAC roles to subjects.
Without --manage=All:
- Create your own RBAC Roles (or ClusterRoles) that allow access to every type of claim you want to use.
- Create RoleBindings in each namespace to bind the roles you creates to subjects.
Oh I see. To be honest, this is a bit confusing - with all the aggregate roles, it gave me an impression that there is much more to it than just direct to claims roles. I think documentation led me straight to that conclusion, do not recall it ever mentioning alternative (but it was about a year ago that I read it). So that surprised me to learn that this is going away. I think alternative approach should work for me then. Thank you for clarifying.