Skip to content

Revert "More fine-grained control over powerful RBAC permission granted via Helm chart" #7836

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jul 2, 2025
Merged

Revert "More fine-grained control over powerful RBAC permission granted via Helm chart" #7836

merged 1 commit into from
Jul 2, 2025
+4 −88

Conversation

inteon
Copy link
Member

@inteon inteon commented Jul 2, 2025
edited
Loading

Reverts #7666.

As noted in #7598, there is an issue with informers that are failing due to the new RBAC.

We have a proposed fix here: #7823.
I'm reverting the PR to give ourselves a bit more time to finetune this fix and maybe consider disabling these informers instead of adding more RBAC.
The goal is to include the fix in v1.19.

Kind

/kind bug

Release Note

Reverted adding the `global.rbac.disableHTTPChallengesRole` Helm option.

@cert-manager-prow cert-manager-prow bot added dco-signoff: no Indicates that at least one commit in this pull request is missing the DCO sign-off message. do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. area/deploy Indicates a PR modifies deployment configuration needs-kind Indicates a PR lacks a `kind/foo` label and requires one. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Jul 2, 2025
@inteon
Revert "More fine-grained control over powerful RBAC permission grant…
587f0c2 
…ed via Helm chart"

Signed-off-by: Tim Ramlot <42113979+inteon@users.noreply.github.com>
@inteon inteon force-pushed the revert-7666-feat/alnoor/adding-fine-grained-control-over-controller-challenges-rbac branch from 127b951 to 587f0c2 Compare July 2, 2025 10:01
@cert-manager-prow cert-manager-prow bot added dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. and removed dco-signoff: no Indicates that at least one commit in this pull request is missing the DCO sign-off message. labels Jul 2, 2025
wallrj
wallrj approved these changes Jul 2, 2025
View reviewed changes
Copy link
Member

@wallrj wallrj left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/approve
/lgtm

Yes, I agree. The fix proposed in #7823 does not seem quite right.
For example, the ACME challenges controller not only relies on a Pod informer; it also relies on an ingress informer, unconditionally. So in the same way that the DNS-01 role needs permission to list and watch pods, it would strictly need permission to list and watch Ingress...and if we go down that path, the DNS-01 role would look overly permissive to a casual observer. It happens to work, because the Ingress list and watch permissions are also granted by roles designed for ingress-shim.
Let's try and figure out a better UX for this feature; something like global.disableHTTP01.

@cert-manager-prow cert-manager-prow bot added the lgtm Indicates that a PR is ready to be merged. label Jul 2, 2025
@cert-manager-prow
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: wallrj

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@cert-manager-prow cert-manager-prow bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 2, 2025
@inteon
Copy link
Member Author

inteon commented Jul 2, 2025

/cherrypick release-1.18

@cert-manager-bot
Copy link
Contributor

@inteon: once the present PR merges, I will cherry-pick it on top of release-1.18 in a new PR and assign it to you.

In response to this:

/cherrypick release-1.18

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@cert-manager-prow cert-manager-prow bot added release-note Denotes a PR that will be considered when it comes time to generate release notes. and removed do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. labels Jul 2, 2025
@inteon inteon added kind/bug Categorizes issue or PR as related to a bug. and removed needs-kind Indicates a PR lacks a `kind/foo` label and requires one. labels Jul 2, 2025
@cert-manager-prow cert-manager-prow bot merged commit e27cd10 into master Jul 2, 2025
6 checks passed
@cert-manager-bot
Copy link
Contributor

@inteon: new pull request created: #7837

In response to this:

/cherrypick release-1.18

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@cert-manager-bot cert-manager-bot mentioned this pull request Jul 2, 2025
Merged
This was referenced Jul 2, 2025
Open
Closed
james-callahan added a commit to james-callahan/cert-manager-kustomize that referenced this pull request Jul 11, 2025
@james-callahan
Revert "controller: split ClusterRole for challenges"
c07868a 
This reverts commit 40e446e.

It was reverted upstream in cert-manager/cert-manager#7836
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wallrj wallrj wallrj approved these changes

Assignees
No one assigned
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/deploy Indicates a PR modifies deployment configuration dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. kind/bug Categorizes issue or PR as related to a bug. lgtm Indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@inteon @cert-manager-bot @wallrj