Trimmed down Cilium's Cluster Roles to only the necessary rules #19074
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
/test |
|
/test-1.23-net-next |
|
/test |
|
/test |
|
/test-1.21-5.4 |
|
/ttest-1.21-5.4 |
|
/test-1.23-net-next |
f943893 to
553538f
Compare
6 tasks
tklauser
approved these changes
Apr 21, 2022
kaworu
approved these changes
Apr 21, 2022
Since Cilium does not set any finalizer in the owner of the CEP, a Pod, it does not make sense to set "BlockOwnerDeletion: true". Regardless of this option being `true` or `false`, the Pod dependent, in this case the CEP, is always* Garbage Collected by Kubernetes. *Only if the user specifies the pod deletion with the "orphan" deletion cascading strategy that the CEP will be kept. However, Cilium Operator will garbage collect orphaned Cilium Endpoints every 5 minutes by default. Signed-off-by: André Martins <andre@cilium.io>
Cilium does not need to perform any Pod update thus this permission can be removed from Cilium's Cluster Role. Signed-off-by: André Martins <andre@cilium.io>
Follow up of 0f4d3a7 ("helm: Remove Unnecessary RBAC Permissions for Agent") Signed-off-by: André Martins <andre@cilium.io>
Trimmed down Cilium's ClusterRole to the exact permissions that Cilium requires. Signed-off-by: André Martins <andre@cilium.io>
Trimmed down clustermesh-apiserver's ClusterRole to the exact permissions that clustermesh-apiserver requires. Signed-off-by: André Martins <andre@cilium.io>
Since this option only existed to set up annotations in Kubernetes Nodes before the introduction of CiliumNodes, it can be default to 'false' so that Cilium's RBAC can have less permissions as possible. Signed-off-by: André Martins <andre@cilium.io>
To decrease the amount of permissions Cilium's requires to operate in a cluster, the node taint removal and the setup of the node condition NetworkUnavailable can be set through cilium-operator. Cilium-operator will remove, if set, the Cilium's specific node taints from the Kubernetes nodes as well as setting up the NetworkUnavailable node condition to 'false' once it detects there is a "Ready" Cilium pod in that node. Signed-off-by: André Martins <andre@cilium.io>
Trimmed down Cilium-Operator's ClusterRole to the exact permissions that Cilium-Operator requires. Signed-off-by: André Martins <andre@cilium.io>
|
The CI has passed in #19449 although AKS test is failing on master so it's not a regression introduced by these changes. Merging... |
This was referenced May 3, 2022
This was referenced May 9, 2022
|
✔️ LGTM |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Trimmed down all Cilium's Cluster Roles to only the necessary rules.
Note for reviewers: all tests have passed on PR #19449 which includes these changes.