Skip to content

Grant Viewer/Admin permissions in the shoot to new groups "gardener.cloud:(project|system):(admins|viewers)" #12673

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 8 commits into from
Aug 7, 2025
Merged

Grant Viewer/Admin permissions in the shoot to new groups "gardener.cloud:(project|system):(admins|viewers)" #12673

merged 8 commits into from
Aug 7, 2025
+270 −37

Conversation

vpnachev
Copy link
Member

@vpnachev vpnachev commented Aug 5, 2025
edited
Loading

How to categorize this PR?
/area security ipcei
/kind enhancement

What this PR does / why we need it:
Grant Viewer/Admin permissions in the shoot to new groups "gardener.cloud:(project|system):(admins|viewers)".
With this change we are preparing users accessing the shoot clusters via AdminKubeconfig or ViewerKubeconfig shoot subresource to get use dedicated groups so that these users can be easily distinguished, for example in the audit logs.

Which issue(s) this PR fixes:
Fixes #

Special notes for your reviewer:
There is a second PR #12674 where the AdminKubeconfig and ViewerKubeconfig generation are changed to assign the new groups to the users, however for backward compatibility we firstly need to grant the permissions to the new groups, otherwise the access to a shoot cluster will be lost until it is reconciled with the new version of gardenlet.

/cc @timuthy @vitanovs

Release note:

New ClusterRoleBindings are deployed in the shoot clusters, they will grant Admin and Viewer permissions that will be later leveraged by the `AdminKubeconfig` and `ViewerKubeconfig` feature of Gardener.
- `gardener.cloud:system:admins` - grants admin access to users that are Gardener System admins
- `gardener.cloud:system:viewers`- grants viewer access to users that are Gardener System viewers
- `gardener.cloud:project:admins` - grants admin access to users that are Gardener Project admins
- `gardener.cloud:project:viewers` - grants viewer access to users that are Gardener Project viewers

The constant `github.com/gardener/gardener/pkg/apis/core/v1beta1/constants.ShootGroupViewers` has been removed, please use `github.com/gardener/gardener/pkg/apis/core/v1beta1/constants.ShootSystemViewersGroupName`

@gardener-prow gardener-prow bot requested review from timuthy and vitanovs August 5, 2025 09:13
@gardener-prow gardener-prow bot added area/security Security related area/ipcei IPCEI (Important Project of Common European Interest) kind/enhancement Enhancement, improvement, extension cla: yes Indicates the PR's author has signed the cla-assistant.io CLA. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Aug 5, 2025
@vpnachev @vitanovs @timuthy
Grant Viewer/Admin permissions in the shoot to new groups "gardener.c…
37f0232 
…loud:(project|system):(admins|viewers)"

Co-authored-by: Stoyan Vitanov <stoyan.a.vitanov@gmail.com>
Co-authored-by: Tim Usner <tim.usner@sap.com>
@vpnachev vpnachev force-pushed the hackathon/viewer-kubeconfig-part-1 branch from 3903c25 to 37f0232 Compare August 5, 2025 09:20
@vpnachev vpnachev mentioned this pull request Aug 5, 2025
Draft
@timuthy
Copy link
Member

timuthy commented Aug 5, 2025

/assign

dimityrmirchev
dimityrmirchev requested changes Aug 5, 2025
View reviewed changes
Copy link
Member

@dimityrmirchev dimityrmirchev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you!

I have some inline suggestions w.r.t. wording

@vpnachev @dimityrmirchev
Address review feedback w.r.t. consts doc string
4c11f07 
Co-authored-by: Dimitar Mirchev <dimitar.mirchev@sap.com>
@vpnachev vpnachev force-pushed the hackathon/viewer-kubeconfig-part-1 branch from 8c51e78 to 4c11f07 Compare August 5, 2025 13:25
@vpnachev vpnachev requested a review from dimityrmirchev August 5, 2025 13:25
timuthy
timuthy reviewed Aug 6, 2025
View reviewed changes
Copy link
Member

@timuthy timuthy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you! Just one comment, the rest looks fine.

rfranzke
rfranzke reviewed Aug 6, 2025
View reviewed changes
rfranzke
rfranzke reviewed Aug 7, 2025
View reviewed changes
Copy link
Member

@rfranzke rfranzke left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great @vpnachev

Can you add an early exit in the migration function that detects if the migration already happened (e.g., in a previous restart)? Currently, it seems it is executed either way.

@vpnachev vpnachev requested a review from rfranzke August 7, 2025 06:59
rfranzke
rfranzke reviewed Aug 7, 2025
View reviewed changes
Copy link
Member

@rfranzke rfranzke left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Very nice, thank you!
/lgtm

@gardener-prow gardener-prow bot added the lgtm Indicates that a PR is ready to be merged. label Aug 7, 2025
@gardener-prow Gardener Prow
Copy link
Contributor

gardener-prow bot commented Aug 7, 2025

LGTM label has been added.

Git tree hash: 5f9c55c8a26f586bdecb9db4d3df541450fd6da1

@rfranzke rfranzke requested a review from timuthy August 7, 2025 07:02
@gardener-prow Gardener Prow
Copy link
Contributor

gardener-prow bot commented Aug 7, 2025

@vpnachev: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
pull-gardener-apidiff 29833bf link false /test pull-gardener-apidiff

Full PR test history. Your PR dashboard. Command help for this repository.
Please help us cut down on flakes by linking this test failure to an open flake report or filing a new flake report if you can't find an existing one. Also see our testing guideline for how to avoid and hunt flakes.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

timuthy
timuthy reviewed Aug 7, 2025
View reviewed changes
Copy link
Member

@timuthy timuthy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you!
/lgtm
/approve

@gardener-prow Gardener Prow
Copy link
Contributor

gardener-prow bot commented Aug 7, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: timuthy

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@gardener-prow gardener-prow bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Aug 7, 2025
@gardener-prow gardener-prow bot merged commit de71f88 into gardener:master Aug 7, 2025
18 of 19 checks passed
@vpnachev vpnachev deleted the hackathon/viewer-kubeconfig-part-1 branch August 7, 2025 11:28
Duciwuci pushed a commit to stackitcloud/gardener that referenced this pull request Sep 1, 2025
@vpnachev @vitanovs
@timuthy @dimityrmirchev @Duciwuci
Grant Viewer/Admin permissions in the shoot to new groups "gardener.c…
05045e7 
…loud:(project|system):(admins|viewers)" (gardener#12673)

* Grant Viewer/Admin permissions in the shoot to new groups "gardener.cloud:(project|system):(admins|viewers)"

Co-authored-by: Stoyan Vitanov <stoyan.a.vitanov@gmail.com>
Co-authored-by: Tim Usner <tim.usner@sap.com>

* Address review feedback w.r.t. consts doc string

Co-authored-by: Dimitar Mirchev <dimitar.mirchev@sap.com>

* Remove ShootGroupViewers const and rename others

* Add apiGroup to subjects

* Remove system:masters from ClusterRoleBindings

* Add migration on gardenlet start-up

* Skip migration when ManagedResource is gone

* Skip migration for already migrated shoots

---------

Co-authored-by: Stoyan Vitanov <stoyan.a.vitanov@gmail.com>
Co-authored-by: Tim Usner <tim.usner@sap.com>
Co-authored-by: Dimitar Mirchev <dimitar.mirchev@sap.com>
This was referenced Sep 5, 2025
Draft
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rfranzke rfranzke rfranzke left review comments

@timuthy timuthy timuthy left review comments

@vitanovs vitanovs Awaiting requested review from vitanovs

@dimityrmirchev dimityrmirchev Awaiting requested review from dimityrmirchev

Assignees

@rfranzke rfranzke

@dimityrmirchev dimityrmirchev

@timuthy timuthy

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/ipcei IPCEI (Important Project of Common European Interest) area/security Security related cla: yes Indicates the PR's author has signed the cla-assistant.io CLA. kind/enhancement Enhancement, improvement, extension lgtm Indicates that a PR is ready to be merged. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@vpnachev @timuthy @rfranzke @dimityrmirchev