Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add missing checkpoint permissions to system:kubelet-api-admin #126724

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Add missing checkpoint permissions to system:kubelet-api-admin #126724

wants to merge 1 commit into from

Conversation

vinayakankugoyal
Copy link
Contributor

@vinayakankugoyal vinayakankugoyal commented Aug 15, 2024
edited
Loading

What type of PR is this?

/kind bug

What this PR does / why we need it:

kubelet has a new endpoint called checkpoint which can be used to take snapshots of containers running on the node.
If the kubelet wehbook authn and authz is enabled then to call it you need verb: "post" on resource: "nodes/checkpoint".
"system:kubelet-api-admin" is a ClusterRole that should have permission to call all webhook endpoints. It does not have permissions to call this endpoint. This makes it so that a user with system:kubelet-api-admin ClusterRole can call this endpoint.

Which issue(s) this PR fixes:

Fixes #126232

Special notes for your reviewer:

Does this PR introduce a user-facing change?

NONE

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

NONE

@k8s-ci-robot
Copy link
Contributor

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@k8s-ci-robot k8s-ci-robot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. kind/bug Categorizes issue or PR as related to a bug. do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Aug 15, 2024
@k8s-ci-robot
Copy link
Contributor

This issue is currently awaiting triage.

If a SIG or subproject determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@k8s-ci-robot k8s-ci-robot added needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. release-note-none Denotes a PR that doesn't merit a release note. sig/auth Categorizes an issue or PR as relevant to SIG Auth. and removed do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Aug 15, 2024
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: vinayakankugoyal
Once this PR has been reviewed and has the lgtm label, please assign deads2k for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@vinayakankugoyal
Copy link
Contributor Author

/sig-node

@vinayakankugoyal
Copy link
Contributor Author

/sig node

@k8s-ci-robot k8s-ci-robot added the sig/node Categorizes an issue or PR as relevant to SIG Node. label Aug 15, 2024
@vinayakankugoyal vinayakankugoyal marked this pull request as ready for review August 15, 2024 21:26
@k8s-ci-robot k8s-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Aug 15, 2024
@vinayakankugoyal vinayakankugoyal mentioned this pull request Aug 15, 2024
Open
@k8s-ci-robot k8s-ci-robot added size/S Denotes a PR that changes 10-29 lines, ignoring generated files. and removed size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Aug 15, 2024
@k8s-ci-robot k8s-ci-robot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Aug 15, 2024
@vinayakankugoyal
Add missing checkpoint permissions to system:kubelet-api-admin
5b31795 
Signed-off-by: Vinayak Goyal <vinaygo@google.com>
@k8s-ci-robot k8s-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Aug 16, 2024
@kannon92
Copy link
Contributor

LGTM to me.

I would prefer a review from sig-auth though.

liggitt
liggitt reviewed Aug 16, 2024
View reviewed changes
Copy link
Member

@liggitt liggitt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

mechanically, this looks correct

did we verify it was unintentional that kube-apiserver not be able to trigger this endpoint, or was the separate permission intentional so it couldn't be driven via the kube apiserver?

plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go
}

if utilfeature.DefaultFeatureGate.Enabled(features.ContainerCheckpoint) {
kubeletAPIAdminRules = append(kubeletAPIAdminRules, rbacv1helpers.NewRule("*").Groups(legacyGroup).Resources("nodes/checkpoint").RuleOrDie())
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: prefer a specific verb if the kubelet only supports a single verb on the checkpoint subresource

@kannon92
Copy link
Contributor

did we verify it was unintentional that kube-apiserver not be able to trigger this endpoint, or was the separate permission intentional so it couldn't be driven via the kube apiserver?

AFAIK forensic checkpointing KEP was about having a kubelet admin be able to run checkpoints against the kubelet API. I think we'd like to revisit checkpoint/restore in a new KEP to focus on RBAC for a more friendly UX. So I think it is intential that you can't drive checkpointing via kube apiserver.

@liggitt
Copy link
Member

liggitt commented Aug 16, 2024

So I think it is intential that you can't drive checkpointing via kube apiserver.

ok... I wondered about that. If that is the case then we should not add this permission until that is resolved.

@kannon92
Copy link
Contributor

So I thought that this role would be for a kubelet admin (system:kubelet-api-admin)?

@vinayakankugoyal
Copy link
Contributor Author

My motivation of adding it was that it seemed to me that this role it meant to have all the permissions for the kubelet API. @SergeyKanzhelev WDYT?

@SergeyKanzhelev
Copy link
Member

My motivation of adding it was that it seemed to me that this role it meant to have all the permissions for the kubelet API. @SergeyKanzhelev WDYT?

Exposing the forensic checkpoint from control plane was not in scope: https://github.com/kubernetes/kubernetes/pull/104907/files#r920403597. I would suggest we take this to the KEP discussion on what kind of API we want to expose

@vinayakankugoyal
Copy link
Contributor Author

By default no binding is created referencing that ClusterRole:

kubectl get clusterrolebindings,rolebindings -A -o json | jq '.items[] | select(. | .roleRef.name == "system:kubelet-api-admin")'

@liggitt
Copy link
Member

liggitt commented Aug 16, 2024
edited
Loading

By default no binding is created referencing that ClusterRole:

Sure, but practically, this is the role everyone binds to the identity given to the kube-apiserver to talk to the kubelet

@rst0git rst0git mentioned this pull request Aug 20, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@liggitt liggitt liggitt left review comments

@kannon92 kannon92 kannon92 left review comments

@enj enj Awaiting requested review from enj

@deads2k deads2k Awaiting requested review from deads2k

@sttts sttts Awaiting requested review from sttts

Assignees
No one assigned
Labels
cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/bug Categorizes issue or PR as related to a bug. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. release-note-none Denotes a PR that doesn't merit a release note. sig/auth Categorizes an issue or PR as relevant to SIG Auth. sig/node Categorizes an issue or PR as relevant to SIG Node. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
SIG Auth
Status: In Review
SIG Node PR Triage
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

system:kubelet-api-admin does not have permissions to issue checkpoint.
5 participants
@vinayakankugoyal @k8s-ci-robot @kannon92 @liggitt @SergeyKanzhelev