keda icon indicating copy to clipboard operation
keda copied to clipboard
verified publisher icon kedacore

Include RBAC permissions to custom resources in KEDA manifests

Open wmedlar opened this issue 3 years ago • 5 comments

Proposal

KEDA should attach corresponding CRD permissions to the built-in view, edit, and admin ClusterRoles through ClusterRole aggregation. Right now KEDA requires configuring permissions for its resources manually, introducing burden for cluster operators. Aggregation is a common pattern for applications that deploy CRDs (see cert-manager for an example) that reduces this burden and simplifies the installation process.

Use-Case

As a cluster operator, I would like to provide KEDA as a platform service to application teams, using a permissions model that follows best practices by consuming built-in, least-privileged ClusterRoles.

Anything else?

This is an example of the aggregated ClusterRoles that I apply manually after deploying KEDA.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: keda:edit
  labels:
    rbac.authorization.k8s.io/aggregate-to-admin: "true"
    rbac.authorization.k8s.io/aggregate-to-edit: "true"
rules:
- apiGroups:
  - keda.sh
  resources:
  - clustertriggerauthentications
  - scaledjobs
  - scaledobjects
  - triggerauthentications
  verbs:
  - create
  - delete
  - patch
  - update

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: keda:view
  labels:
    rbac.authorization.k8s.io/aggregate-to-admin: "true"
    rbac.authorization.k8s.io/aggregate-to-edit: "true"
    rbac.authorization.k8s.io/aggregate-to-view: "true"
rules:
- apiGroups:
  - keda.sh
  resources:
  - clustertriggerauthentications
  - scaledjobs
  - scaledobjects
  - triggerauthentications
  verbs:
  - get
  - list
  - watch

wmedlar avatar Mar 07 '22 20:03 wmedlar

@zroubalik Thoughts? @wmedlar Are you willing to jump in if we want to do this? Keep in mind that we should be backwards compatible

tomkerkhove avatar Mar 08 '22 09:03 tomkerkhove

If needed, sure.

wmedlar avatar Mar 08 '22 17:03 wmedlar

Sounds good, let's do this :)

zroubalik avatar Mar 10 '22 12:03 zroubalik

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 7 days if no further activity occurs. Thank you for your contributions.

stale[bot] avatar May 09 '22 16:05 stale[bot]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 7 days if no further activity occurs. Thank you for your contributions.

stale[bot] avatar Jul 09 '22 17:07 stale[bot]