Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

helm: Grant the cilium-operator pod:delete permissions by default #32597

Closed
wants to merge 1 commit into from
Closed

helm: Grant the cilium-operator pod:delete permissions by default #32597

wants to merge 1 commit into from

Conversation

ostrowr
Copy link

@ostrowr ostrowr commented May 16, 2024
edited

cilium-operator requires the pod:delete permission to manage [core|kube]dns pods that are managed by cilium.

These pods are only managed by cilium if disableEndpointCRD is false.

disableEndpointCRD is false by default, but the operator doesn't get the permission unless you explicitly set disableEndpointCRD to false. This is very unintuitive; I would expect that setting something to false that is false by default should be a noop.

This PR simply removes the explicit hasKey check and leaves the key value checks in, which should be the only ones that matter anyway.

Looks like this check was originally introduced in f612c97 which I think had the right idea – this permission should only exist when delete is needed – but it shouldn't require a user to explicitly re-set a default.

Before this change, with default values:

❯ kubectl describe clusterroles -n cilium cilium-operator | grep pods
  pods                                                   []                 []              [get list watch]

After this change, with default values:

❯ kubectl describe clusterroles -n cilium cilium-operator | grep pods
  pods                                                   []                 []              [get list watch delete]

Explicitly setting disableEndpointCRD to true removes the delete permission.

  • For first time contributors, read Submitting a pull request
  • All code is covered by unit and/or runtime tests where feasible.
  • All commits contain a well written commit description including a title,
    description and a Fixes: #XXX line if the commit addresses a particular
    GitHub issue.
  • If your commit description contains a Fixes: <commit-id> tag, then
    please add the commit author[s] as reviewer[s] to this issue.
  • All commits are signed off. See the section Developer’s Certificate of Origin
  • Provide a title or release-note blurb suitable for the release notes.
  • Are you a user of Cilium? Please add yourself to the Users doc
  • Thanks for contributing!

@ostrowr ostrowr requested review from a team as code owners May 16, 2024 23:45
@maintainer-s-little-helper
Copy link

Commit 84109da does not match "(?m)^Signed-off-by:".

Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin

@maintainer-s-little-helper maintainer-s-little-helper bot added dont-merge/needs-sign-off The author needs to add signoff to their commits before merge. dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. labels May 16, 2024
@ostrowr
remove the explicit hasKey check for disableEndpointCRD for cilium-…
3dc5f5d 
…operator permission assignment

Signed-off-by: Robbie Ostrow <ostrowr@gmail.com>
@github-actions github-actions bot added the kind/community-contribution This was a contribution made by a community member. label May 16, 2024
@ostrowr ostrowr force-pushed the remove-explicit-check-for-value-in-helm-chart branch from 84109da to 3dc5f5d Compare May 16, 2024 23:46
@maintainer-s-little-helper maintainer-s-little-helper bot removed the dont-merge/needs-sign-off The author needs to add signoff to their commits before merge. label May 16, 2024
@ostrowr
Copy link
Author

ostrowr commented May 20, 2024

cc @aanm who was the original author here and may have more context

@gandro
Copy link
Member

gandro commented May 21, 2024
edited

The change itself looks fine to me, but I don't understand this bit:

Before this change, with default values:

❯ kubectl describe clusterroles -n cilium cilium-operator | grep pods
  pods                                                   []                 []              [get list watch]

Using the default values (i.e. just using helm install without setting anything besides the namespace), I do see the operator having the delete permission - which makes sense, disableEndpointCRD is explicitly set in our values.yaml

@ostrowr
Copy link
Author

ostrowr commented May 21, 2024

Ah, turns out this wasn't because of value overriding; it was because of some confusing default behavior that it looks like has been fixed in recent versions.

@ostrowr ostrowr closed this May 21, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tommyp1ckles tommyp1ckles Awaiting requested review from tommyp1ckles tommyp1ckles is a code owner automatically assigned from cilium/sig-k8s

@gandro gandro Awaiting requested review from gandro gandro is a code owner automatically assigned from cilium/helm

Assignees
No one assigned
Labels
dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. kind/community-contribution This was a contribution made by a community member.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@ostrowr @gandro