Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix remote host collection RBAC checks #1672

Merged
merged 5 commits into from
Nov 7, 2024

Conversation

diamonwiggins
Copy link
Member

@diamonwiggins diamonwiggins commented Nov 1, 2024

Description, Motivation and Context

  • Move save node list code to run after we check for RBAC
  • Update RBAC checks to cover everything needed for remote host collectors

Checklist

  • New and existing tests pass locally with introduced changes.
  • Tests for the changes have been added (for bug fixes / features)
  • The commit message(s) are informative and highlight any breaking changes
  • Any documentation required has been added/updated. For changes to https://troubleshoot.sh/ create a PR here

Does this PR introduce a breaking change?

  • Yes
  • No

@diamonwiggins diamonwiggins requested a review from a team as a code owner November 1, 2024 16:49
@diamonwiggins diamonwiggins added type::bug Something isn't working bug::normal labels Nov 1, 2024
Copy link
Member

@nvanthao nvanthao left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

many thanks Diamon! LGTM, just a few comments to make sure I understand the changes.

Name: "",
resourceAttributesList := []authorizationv1.ResourceAttributes{
{
Namespace: namespace,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should we check on empty namespace?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a use case where you think we might need to? Remote host collection can execute within a single namespace right?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I just think passing empty namespace should not allowed as we are checking RBAC in both cluster-scope and namespace-scoped such as get/pods

Copy link
Member Author

@diamonwiggins diamonwiggins Nov 5, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are you saying we should default to default for the namespace or fail if no namespace is provided? Right now, if the user doesn't provide a namespace when executing remote host collectors via the CLI, then we pretty much assume "" for the namespace.

This may be a larger thing we want to address in the project as I've noticed that the namespace in the kubeconfig context isn't used as the default, and it's not clear if we intend to do so or if we default to assuming cluster scoped access if you don't specify "-n" when running troubleshoot binaries. This would be another one of those issues that's a larger thing we need to revisit in the project as the behavior is the same for in-cluster collectors today.

Let me know if that clears things up, or maybe i'm still not quite following what you're suggesting.

pkg/supportbundle/rbac.go Show resolved Hide resolved
Resource: "pods,configmap",
Subresource: "",
Name: "",
resourceAttributesList := []authorizationv1.ResourceAttributes{
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this could be a constant declared outside so that we will remember to update it in the future.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you clarify? I'm not sure I follow why moving it from here would make it more visible?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I mean setting resourceAttributesList as a package constant would make it more discoverable as a configuration rather than hiding it inside checkRemoteCollectorRBAC. E.g. when we have new collector with additional permission.

On this, I also think we are missing permission create pods/exec for executing collect binary.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

On this, I also think we are missing permission create pods/exec for executing collect binary.

This PR is for the existing code which I don't think uses exec at the moment.

I mean setting resourceAttributesList as a package constant would make it more discoverable as a configuration rather than hiding it inside checkRemoteCollectorRBAC. E.g. when we have new collector with additional permission.

I don't have a super strong opinion here, but it doesn't feel like this list is going to be shared across multiple functions, so I'm not sure it needs to come out of this function.

Copy link
Member

@banjoh banjoh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@diamonwiggins diamonwiggins merged commit 06506ed into main Nov 7, 2024
27 checks passed
@diamonwiggins diamonwiggins deleted the diamonwiggins/fix-remote-collector-rbac branch November 7, 2024 15:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug::normal type::bug Something isn't working
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants