Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SeedAuthorizer restricting gardenlet permission in garden cluster #1723

Closed
rfranzke opened this issue Dec 13, 2019 · 11 comments · Fixed by #4326
Closed

SeedAuthorizer restricting gardenlet permission in garden cluster #1723

rfranzke opened this issue Dec 13, 2019 · 11 comments · Fixed by #4326
Assignees
@rfranzke @timuthy
Labels
area/security Security related kind/enhancement Enhancement, improvement, extension roadmap/internal Roadmap for our team-internal goals, e.g. drive up seed utilization
Milestone
2021-Q2

Comments

@rfranzke
Copy link
Member

rfranzke commented Dec 13, 2019
edited

With #1601 we have introduced the gardenlet, a component comparable with the kubelet in Kubernetes.

Kubernetes has a dedicated NodeAuthorizer admission plugin which ensures that a kubelet responsible for node X may only touch resources (like Pods, Secrets, etc.) that are related to node X.

In our first introduction of the Gardenlet we haven't implemented such mechanism yet.
Instead, similar to Gardener v0 (where the gardener-controller-manager was bound to the cluster-admin role), the gardenlet gets full administrator privileges in the garden cluster.

Let's follow Kubernetes' approach and implement a SeedAuthorizer admission plugin which ensures that gardenlets only touch resources related to the Seeds they are responsible for.

Status
completed
🚧 in progress
to be clarified
ℹ️ interesting, but not relevant (yet)
incomplete

Prerequisites:

To-Dos:
@rfranzke rfranzke added the kind/enhancement Enhancement, improvement, extension label Dec 13, 2019
@ghost ghost added lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Feb 12, 2020
@ghost ghost added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Apr 15, 2020
@gardener-robot gardener-robot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Jun 15, 2020
@rfranzke
Copy link
Member Author

/remove lifecycle/rotten

@gardener-robot gardener-robot removed the lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. label Jun 22, 2020
@rfranzke
Copy link
Member Author

/cc @donistz

@gardener-robot gardener-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Sep 19, 2020
@vlerenc vlerenc mentioned this issue Sep 22, 2020
Open
@gardener-robot gardener-robot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Nov 19, 2020
@rfranzke
Copy link
Member Author

/touch

@gardener-robot gardener-robot removed the lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. label Jan 18, 2021
@rfranzke rfranzke mentioned this issue Jan 20, 2021
Closed
@rfranzke
Copy link
Member Author

rfranzke commented Feb 5, 2021

/assign @timuthy @rfranzke
/security
/normal

@rfranzke rfranzke mentioned this issue Feb 5, 2021
Closed
This was referenced Feb 15, 2021
Open
Merged
@timuthy timuthy mentioned this issue Feb 18, 2021
Merged
@rfranzke rfranzke mentioned this issue Feb 26, 2021
Merged
@rfranzke rfranzke changed the title SeedAuthorizer admission plugin SeedAuthorizer restricting gardenlet permission in garden cluster Mar 5, 2021
@rfranzke rfranzke mentioned this issue Mar 5, 2021
Merged
@petersutter petersutter mentioned this issue Apr 12, 2021
Merged
This was referenced Apr 16, 2021
Merged
Merged
This was referenced Apr 26, 2021
Merged
Merged
@rfranzke rfranzke mentioned this issue May 4, 2021
Merged
@timuthy timuthy mentioned this issue May 4, 2021
Merged
This was referenced May 12, 2021
Merged
Merged
This was referenced May 20, 2021
Closed
Merged
Merged
This was referenced May 28, 2021
Merged
Merged
Merged
Merged
Merged
Merged
This was referenced Jun 9, 2021
Merged
Merged
@rfranzke rfranzke added the roadmap/internal Roadmap for our team-internal goals, e.g. drive up seed utilization label Jun 11, 2021
@rfranzke rfranzke added this to the 2021-Q2 milestone Jun 11, 2021
@rfranzke rfranzke mentioned this issue Jun 11, 2021
Merged
@rfranzke rfranzke mentioned this issue Jun 23, 2021
Merged
This was referenced Jul 7, 2021
Merged
Merged
@timebertt
Copy link
Member

Is the envtest for Seed{Authorizer,Restriction} still on your list?

@rfranzke
Copy link
Member Author

rfranzke commented Jul 8, 2021

No, I think I mentioned this in a Daily meeting some weeks back. I consider the current test coverage is quite good and I would now move to the next topic instead of implementing an envtest (which probably would make the current unit tests mostly obsolete).

@timebertt
Copy link
Member

Ok, sounds good. Missed this update :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rfranzke rfranzke

@timuthy timuthy

Labels
area/security Security related kind/enhancement Enhancement, improvement, extension roadmap/internal Roadmap for our team-internal goals, e.g. drive up seed utilization
Projects
None yet
Milestone
2021-Q2
Development

Successfully merging a pull request may close this issue.

Remove 'experimental' disclaimer for Seed{Authorizer,Restriction} features rfranzke/gardener
4 participants
@rfranzke @timuthy @timebertt @gardener-robot