hashicorp
Add aggregated cluster roles for default user-facing roles
Is your feature request related to a problem? Please describe.
In our multi-tenant clusters we would like to grant our end-users RBAC to view/edit VSO custom resources in their namespaces. We work a lot with operators, and it is common to deliver operators with aggregated clusterroles targeted for the Kubernetes default user-facing roles.
Describe the solution you'd like
I think we should include aggregated clusterroles to view and edit all custom resources in the secrets.hashicorp.com API group. It seems like all resources are namespaced at present.
The view role should be aggregated to:
- the default user-facing
viewnamespace role - optional: the default (Openshift) user-facing
cluster-readercluster role
The edit role should be aggregated to:
- the default user-facing
editnamespace role - the default user-facing
adminnamespace role
Describe alternatives you've considered
As a workaround we have added aggregated clusterroles to view and edit all CRDs in the secrets.hashicorp.com API group.
Additional context
This is the clusterroles we have added as a workaround to this issue:
# FIXME: User-facing role are missing from upstream. Maybe file a PR?
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
rbac.authorization.k8s.io/aggregate-to-cluster-reader: "true"
rbac.authorization.k8s.io/aggregate-to-view: "true"
name: vault-secrets-operator-view
rules:
- apiGroups:
- secrets.hashicorp.com
resources:
- "*"
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
rbac.authorization.k8s.io/aggregate-to-admin: "true"
rbac.authorization.k8s.io/aggregate-to-edit: "true"
name: vault-secrets-operator-edit
rules:
- apiGroups:
- secrets.hashicorp.com
resources:
- "*"
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
This commit doesn't seem to solve the actual issue. It now deploys the rbac rules, but still doesn't provide the option for aggregating to the admin, edit, viewer and cluster-reader role.
@chrysalis69 - thanks for pointing this out. We are going to take a closer look to see how best to support this enhancement.
@chrysalis69 hi, try create a new clusterrole to include/select all the roles you wanted , example
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
meta.helm.sh/release-name: sa-essential
meta.helm.sh/release-namespace: sa-common
creationTimestamp: "2024-04-02T10:40:12Z"
name: helm-admin
resourceVersion: "2071070231"
uid: 834aac05-1296-44b0-9fc5-2b1750411310
aggregationRule:
clusterRoleSelectors:
- matchLabels:
vso.hashicorp.com/role-instance: vaultstaticsecret-editor-role
- matchLabels:
rbac.authorization.k8s.io/aggregate-to-admin: "true"
rules: [] # auto-generated
read more: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles
:exploding_head: Didn't even think of aggregating to an existing aggregation. Thanks for the info @LeoQuote
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: vault-secrets-operator-viewer-role
labels:
rbac.authorization.k8s.io/aggregate-to-view: "true"
aggregationRule:
clusterRoleSelectors:
- matchLabels:
vso.hashicorp.com/role-instance: hcpsecretsapp-viewer-role
- matchLabels:
vso.hashicorp.com/role-instance: vaultstaticsecret-viewer-role
This solves the issue from my end.
To make the commit from @benashz works, at least we need to add configurable custom labels for each ClusterRoles. Currently it only uses global labels (vso.chart.labels)
Released in https://github.com/hashicorp/vault-secrets-operator/releases/tag/v0.7.0