Skip to content

fix: remove ServiceAccount binding to the edit role #316

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Oct 5, 2023
Merged

fix: remove ServiceAccount binding to the edit role #316

merged 2 commits into from
Oct 5, 2023

Conversation

VanillaSpoon
Copy link
Contributor

@VanillaSpoon VanillaSpoon commented Oct 3, 2023
edited
Loading

Issue link

closes #161

What changes have been made

In the current setup, we have a clusterrolebinding between the ServiceAccount and the default edit ClusterRole. The edit role provides an expansive set of permissions which have been checked and deemed not necessary for the operators functionality.

Therefor this PR removes the clusterrolebinding.

Checks

  • I've made sure the tests are passing.
  • Testing Strategy
    • Unit tests
    • Manual tests
    • Testing is not required for this change

@VanillaSpoon
Copy link
Contributor Author

VanillaSpoon commented Oct 3, 2023
edited
Loading

Hey @astefanutti
I believe the e2e here is failing due to a timeout from CODEFLARE_TEST_TIMEOUT_MEDIUM. Would there be any solution recommendations towards this, or would increasing the timeout wait suffice?

@sutaakar
Copy link
Contributor

sutaakar commented Oct 4, 2023

@VanillaSpoon There is an error logged in operator pod:

E1003 15:07:58.460889       1 queuejob_controller_ex.go:2097] Failed to delete resources associated with app wrapper: 'test-ns-tcbrs/mnist', err 1 error occurred:
	* jobs.batch is forbidden: User "system:serviceaccount:openshift-operators:codeflare-operator-controller-manager" cannot list resource "jobs" in API group "batch" at the cluster scope

That is probably the reason for the test failure.

@astefanutti
Copy link
Contributor

@VanillaSpoon There is an error logged in operator pod:

E1003 15:07:58.460889       1 queuejob_controller_ex.go:2097] Failed to delete resources associated with app wrapper: 'test-ns-tcbrs/mnist', err 1 error occurred:
	* jobs.batch is forbidden: User "system:serviceaccount:openshift-operators:codeflare-operator-controller-manager" cannot list resource "jobs" in API group "batch" at the cluster scope

That is probably the reason for the test failure.

@VanillaSpoon @sutaakar I'd suggest we add permissions for batch Job resources to the default operator role.

@VanillaSpoon
Copy link
Contributor Author

I appreciate the support on this @astefanutti and @sutaakar.

The changes have been updated in 9762026

sutaakar
sutaakar reviewed Oct 5, 2023
View reviewed changes
Copy link
Contributor

@sutaakar sutaakar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@openshift-ci openshift-ci bot added the lgtm label Oct 5, 2023
astefanutti
astefanutti reviewed Oct 5, 2023
View reviewed changes
config/rbac/role.yaml
verbs:
- list
- delete
- create
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

While that works, MCAD should theoretically also be able to update these resources, so I'd suggest to add the following verbs for consistency:

- patch
- update
- watch

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @astefanutti :) I have applied the update in aa18a41

@openshift-ci openshift-ci bot removed the lgtm label Oct 5, 2023
@astefanutti
Copy link
Contributor

/lgtm

@openshift-ci openshift-ci bot added the lgtm label Oct 5, 2023
@astefanutti
Copy link
Contributor

/approve

@openshift-ci
Copy link

openshift-ci bot commented Oct 5, 2023

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: astefanutti

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved label Oct 5, 2023
@astefanutti
Copy link
Contributor

Thanks a lot @VanillaSpoon, that's a critical fix w.r.t. security.

@openshift-ci openshift-ci bot merged commit 37b0253 into project-codeflare:main Oct 5, 2023
@astefanutti astefanutti mentioned this pull request Oct 16, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@astefanutti astefanutti astefanutti left review comments

@sutaakar sutaakar sutaakar left review comments

@Maxusmusti Maxusmusti Awaiting requested review from Maxusmusti

Assignees

@astefanutti astefanutti

@sutaakar sutaakar

Labels
approved lgtm
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

The operator service account should not be bound to the edit role
3 participants
@VanillaSpoon @sutaakar @astefanutti