Aggregated ClusterRole for Addressables

[Harwayne]

Expected Behavior

I should be able to create a ServiceAccount and give it RBAC permissions to resolve all known Addressables. If a new Addressable Kind is created, my ServiceAccount should get permission to resolve it as well, without needing any work specific to this ServiceAccount.

Actual Behavior

Today all the ServiceAccounts seem to get their own custom ClusterRoles that include all known Addressables at the time. Creating a new Addressable causes all of those ClusterRoles to be updated (see knative/eventing-contrib#252).

Proposal

We create a single aggregated ClusterRole. Then whenever a new Addressable is created, it is the responsibility of that CRD's author to create a ClusterRole that will aggregate the new permissions into the single aggregated ClusterRole.

E.g.

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: addressable-resolver
aggregationRule:
  clusterRoleSelectors:
  - matchLabels:
      eventing.knative.dev/addressable: "true"
rules: [] # Rules are automatically filled in by the controller manager.

Then to make Broker resolve correctly, the creator of the Broker CRD also creates the following:

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: broker-addressable-resolver
  labels:
      eventing.knative.dev/addressable: "true"
# Do not use this role directly. These rules will be added to the "addressable-resolver" role.
rules:
- apiGroups:
  - eventing.knative.dev/v1alpha1
  resources:
  - brokers
  - brokers/status
  verbs:
  - get
  - list
  - watch

Then, as a user creating a ServiceAccount that needs to resolve Addressables, I give the following ClusterRoleBinding/RoleBinding:

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: foo-addressable-resolver
subjects:
- kind: serviceAccount
  name: foo
roleRef:
  kind: ClusterRole
  name: addressable-resolver
  apiGroup: rbac.authorization.k8s.io

So when someone adds another Addressable CRD (e.g. Channel), they also add the ClusterRole that will get aggregated into addressable-resolver and the ServiceAccount foo automatically gets that permission without any further work.

[grantr]

/good-first-issue

[knative-prow-robot]

@grantr:
This request has been marked as suitable for new contributors.

Please ensure the request meets the requirements listed here.

If this request no longer meets these requirements, the label can be removed
by commenting with the /remove-good-first-issue command.

Details

In response to this:

/good-first-issue

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[evankanderson]

/milestone v0.5.0 This will make Brokers and Sources both much more useful and easier to manage consistently.

…

On Mon, Mar 18, 2019 at 1:29 PM Grant Rodgers ***@***.***> wrote: /good-first-issue — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#916 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AHlyN4TMcrNYcm0LlXJYA4HEPGaX5Aqbks5vX_cYgaJpZM4b6eqe> .

-- Evan Anderson <argent@google.com>

[devguyio]

I would love to work on this

[grantr]

/assign @Abd4llA

It's all yours!

[knative-prow-robot]

@grantr: GitHub didn't allow me to assign the following users: Abd4llA.

Note that only knative members and repo collaborators can be assigned.
For more information please see the contributor guide

Details

In response to this:

/assign @Abd4llA

It's all yours!

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[devguyio]

/assign

[grantr]

Bumping this to v0.5.1.

/milestone v0.5.1