New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SeedAuthorizer restricting gardenlet permission in garden cluster #1723
Labels
area/security
Security related
kind/enhancement
Enhancement, improvement, extension
roadmap/internal
Roadmap for our team-internal goals, e.g. drive up seed utilization
Milestone
Comments
ghost
added
lifecycle/stale
Denotes an issue or PR has remained open with no activity and has become stale.
and removed
lifecycle/stale
Denotes an issue or PR has remained open with no activity and has become stale.
labels
Feb 12, 2020
ghost
added
the
lifecycle/stale
Denotes an issue or PR has remained open with no activity and has become stale.
label
Apr 15, 2020
gardener-robot
added
lifecycle/rotten
Denotes an issue or PR that has aged beyond stale and will be auto-closed.
and removed
lifecycle/stale
Denotes an issue or PR has remained open with no activity and has become stale.
labels
Jun 15, 2020
/remove lifecycle/rotten |
gardener-robot
removed
the
lifecycle/rotten
Denotes an issue or PR that has aged beyond stale and will be auto-closed.
label
Jun 22, 2020
/cc @donistz |
gardener-robot
added
the
lifecycle/stale
Denotes an issue or PR has remained open with no activity and has become stale.
label
Sep 19, 2020
gardener-robot
added
lifecycle/rotten
Denotes an issue or PR that has aged beyond stale and will be auto-closed.
and removed
lifecycle/stale
Denotes an issue or PR has remained open with no activity and has become stale.
labels
Nov 19, 2020
/touch |
gardener-robot
removed
the
lifecycle/rotten
Denotes an issue or PR that has aged beyond stale and will be auto-closed.
label
Jan 18, 2021
This was referenced Feb 15, 2021
rfranzke
changed the title
SeedAuthorizer admission plugin
SeedAuthorizer restricting gardenlet permission in garden cluster
Mar 5, 2021
This was referenced Apr 16, 2021
This was referenced Apr 26, 2021
This was referenced May 12, 2021
This was referenced May 20, 2021
This was referenced May 28, 2021
This was referenced Jun 9, 2021
rfranzke
added
the
roadmap/internal
Roadmap for our team-internal goals, e.g. drive up seed utilization
label
Jun 11, 2021
This was referenced Jul 7, 2021
Is the envtest for |
No, I think I mentioned this in a Daily meeting some weeks back. I consider the current test coverage is quite good and I would now move to the next topic instead of implementing an envtest (which probably would make the current unit tests mostly obsolete). |
Ok, sounds good. Missed this update :) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
area/security
Security related
kind/enhancement
Enhancement, improvement, extension
roadmap/internal
Roadmap for our team-internal goals, e.g. drive up seed utilization
With #1601 we have introduced the gardenlet, a component comparable with the kubelet in Kubernetes.
Kubernetes has a dedicated
NodeAuthorizer
admission plugin which ensures that a kubelet responsible for nodeX
may only touch resources (likePod
s,Secret
s, etc.) that are related to nodeX
.In our first introduction of the Gardenlet we haven't implemented such mechanism yet.
Instead, similar to Gardener v0 (where the gardener-controller-manager was bound to the
cluster-admin
role), the gardenlet gets full administrator privileges in the garden cluster.Let's follow Kubernetes' approach and implement a
SeedAuthorizer
admission plugin which ensures that gardenlets only touch resources related to theSeed
s they are responsible for.Prerequisites:
garden
namespace #1725)To-Dos:
SeedAuthorizer
authorization plugin andSeedRestriction
admission plugin #3571SeedAuthorizer
authorization plugin andSeedRestriction
admission plugin #3571garden
namespace #1725)CloudProfiles
,Shoots
,Secrets
, etc.).The text was updated successfully, but these errors were encountered: