Skip to content

Support LocalSubjectAccessReview if namespace option is non-empty #6752

New issue
New issue
Closed
Closed
Support LocalSubjectAccessReview if namespace option is non-empty#6752
Labels
kind/featureCategorizes issue or PR as related to a new feature.lifecycle/rottenDenotes an issue or PR that has aged beyond stale and will be auto-closed.
@jkroepke

Description

@jkroepke
jkroepke
opened on Feb 11, 2024

Is your feature request related to a problem? Please describe.
I'm looking into the cert-manager permissions requirements at cluster-scope and would like to reduce them to a namespace, if possible.

Currently, the cert-manager controller depends on a cluster-scope SubjectAccessReview which also requires cluster-wide permissions. The need of the is described here: https://github.com/cert-manager/cert-manager/blob/c376bc495c8bb7f710155634ca919e65e134b33e/design/20190708.certificate-request-crd.md#rbac

Access to LocalSubjectAccessReviews can be granted by an Role and does not need a ClusterRole

cert-manager/pkg/controller/certificatesigningrequests/sync.go

Lines 181 to 204 in c376bc4

resp, err := c.sarClient.Create(ctx, &authzv1.SubjectAccessReview{
Spec: authzv1.SubjectAccessReviewSpec{
User: csr.Spec.Username,
Groups: csr.Spec.Groups,
Extra: extra,
UID: csr.Spec.UID,
ResourceAttributes: &authzv1.ResourceAttributes{
Group: certmanager.GroupName,
Resource: "signers",
Verb: "reference",
Namespace: issuerNamespace,
Name: name,
Version: "*",
},
},
}, metav1.CreateOptions{})
if err != nil {
return false, err
}
if resp.Status.Allowed {
return true, nil
}

Describe the solution you'd like
If cert-manager runs in namespace only mode, LocalSubjectAccessReview could be used instead SubjectAccessReview. Since request permissions for the local namespace is sufficent.

Describe alternatives you've considered
N/A

Additional context

Environment details (remove if not applicable):

  • Kubernetes version: 1.28
  • Cloud-provider/provisioner: AKS
  • cert-manager version: 1.14
  • Install method: e.g. helm

/kind feature

Metadata

Metadata

Assignees

No one assigned

    Labels

    kind/featureCategorizes issue or PR as related to a new feature.lifecycle/rottenDenotes an issue or PR that has aged beyond stale and will be auto-closed.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions