Skip to content

helm/certgen: use namespaced RBAC for hubble certs generation #33027

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jun 11, 2024
Merged

helm/certgen: use namespaced RBAC for hubble certs generation #33027

merged 1 commit into from
Jun 11, 2024

Conversation

giorio94
Copy link
Member

Convert the ClusterRole/ClusterRoleBinding to Role/RoleBinding to reduce the overall permissions considering that certgen only needs to access the secrets in the local namespace, based on the current configuration. This also aligns it with the equivalent permissions used for clustermesh.

Switch the RBAC used for hubble certificate generation in `cronJob` mode to namespace-scoped.

@giorio94
helm/certgen: use namespaced RBAC for hubble certs generation
3dd9600 
Convert the ClusterRole/ClusterRoleBinding to Role/RoleBinding to
reduce the overall permissions considering that certgen only needs
to access the secrets in the local namespace, based on the current
configuration. This also aligns it with the equivalent permissions
used for clustermesh.

Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
@giorio94 giorio94 added release-note/minor This PR changes functionality that users may find relevant to operating Cilium. sig/hubble area/helm Impacts helm charts and user deployment experience labels Jun 10, 2024
@giorio94 giorio94 requested review from a team as code owners June 10, 2024 16:32
@giorio94
Copy link
Member Author

/test

squeed
squeed approved these changes Jun 11, 2024
View reviewed changes
Copy link
Contributor

@squeed squeed left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

huge thanks!

@giorio94 giorio94 removed the request for review from nathanjsweet June 11, 2024 08:09
@giorio94
Copy link
Member Author

Removed Nate from the list of reviewers, as already approved by Casey on behalf of sig-k8s.

@giorio94 giorio94 added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Jun 11, 2024
@dylandreimerink dylandreimerink added this pull request to the merge queue Jun 11, 2024
Merged via the queue into cilium:main with commit 519d391 Jun 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@squeed squeed squeed approved these changes

@chancez chancez chancez approved these changes

Assignees
No one assigned
Labels
area/helm Impacts helm charts and user deployment experience ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/minor This PR changes functionality that users may find relevant to operating Cilium.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@giorio94 @squeed @chancez @dylandreimerink