Skip to content

Commit 81d7ec2

Browse files
awgreeneawgreene
committed
Introduce RBAC Toggle Enhancement
1 parent e4a8436 commit 81d7ec2

File tree

1 file changed

+235
-0
lines changed

1 file changed

+235
-0
lines changed

enhancements/rbac-toggle.md

Lines changed: 235 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,235 @@
1+
---
2+
title: rbac-toggle
3+
authors:
4+
- "@awgreene"
5+
reviewers:
6+
- TBD
7+
approvers:
8+
- TBD
9+
creation-date: 2023-06-06
10+
last-updated: 2023-06-06
11+
status: implementable
12+
see-also:
13+
- NA
14+
replaces:
15+
- NA
16+
superseded-by:
17+
- NA
18+
---
19+
20+
# RBAC Toggle
21+
22+
## Release Signoff Checklist
23+
24+
- [ ] Enhancement is `implementable`
25+
- [ ] Design details are appropriately documented from clear requirements
26+
- [ ] Test plan is defined
27+
- [ ] Graduation criteria for dev preview, tech preview, GA
28+
29+
## Open Questions [optional]
30+
31+
NA
32+
33+
## Summary
34+
35+
The [operator-lifecycle-manager (OLM)](https://github.com/operator-framework/operator-lifecycle-manager) is responsible for installing, upgrading, and managing the lifecycle of operators. While managing the lifecycle of an operator, OLM creates the [Role-Based Access Control (RBAC)](https://kubernetes.io/docs/reference/access-authn-authz/rbac/) manifests requested by the operator in namespaces that the operator is [scoped](https://olm.operatorframework.io/docs/advanced-tasks/operator-scoping-with-operatorgroups/) to. When an operator is installed at the cluster scoped level, the requested RBAC is elevated to cluster wide levels.
36+
37+
Recently, the Operator Framework has been advising operator authors to develope cluster scoped operators as:
38+
- The existing [CustomResourceDefinition (CRD)](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/) primitive does not provide a great user experience on multitenant environments.
39+
- It becomes increasingly complex when a user installs multiple versions of an operator scoped to different namespaces.
40+
41+
As more operators move towards the cluster scoped model, it becomes increasingly problematic for cluster admins that are uncomfortable or unable to allow OLM to grant cluster wide RBAC to operators it installs.
42+
43+
This enhancement proposes providing cluster admins greater control over the RBAC generated by OLM while managing an operator.
44+
45+
## Motivation
46+
47+
The primary motivation of this enhancement centers around using OLM on highly regulated clusters. Within these highly regulated environments, cluster admins are responsible for tightly limiting the permissions of users or services in an effort to adhere to specific regulations that are regularly audited. Today, it is difficult or impossible to use OLM in these environments as the cluster admins have no control over the RBAC generated by OLM.
48+
49+
### Goals
50+
51+
Allow cluster admins to disable:
52+
53+
- The promotion of Roles and RoleBindings defined from the [ClusterServiceVersion.Spec.Install.Spec.Permissions field](https://github.com/operator-framework/api/blob/33310d6154f344da5494c788451bd34cdf54711c/pkg/operators/v1alpha1/clusterserviceversion_types.go#L79) to ClusterRoles and ClusterRoleBindings respectively when installing an operators into a namespace that includes an `AllNamespace` scoped OperatorGroup.
54+
- The generation of ClusterRoles aggregated to the view, edit, and admin ClusterRoles when installing a CRD. For example, when installing a CRD named foo.bar.io at v1, OLM should not generate the following ClusterRoles:
55+
-- foo.bar.io-v1-admin
56+
-- foo.bar.io-v1-crdview
57+
-- foo.bar.io-v1-edit
58+
-- foo.bar.io-v1-view
59+
60+
> NOTE: The following Goals may not be required, but it seems reasonable that a cluster admin would not want every user to be able to view/edit CRDs introduced by OLM. This should be decided upon prior to merging the EP.
61+
62+
- The generation of [aggregate-olm-edit ClusterRole](https://github.com/operator-framework/operator-lifecycle-manager/blob/943a726ab1a516bc231e2fe96d13fc2e47bf4448/deploy/upstream/quickstart/olm.yaml#L153-L167) RBAC.
63+
- The generation of [aggregate-olm-view ClusterRole](https://github.com/operator-framework/operator-lifecycle-manager/blob/943a726ab1a516bc231e2fe96d13fc2e47bf4448/deploy/upstream/quickstart/olm.yaml#L168-L184) RBAC.
64+
65+
### Non-Goals
66+
67+
- Provide means to disable generation of ClusterRoles and ClusterRoleBindings derived from the [ClusterServiceVersion.Spec.Install.Spec.ClusterPermissions field](https://github.com/operator-framework/api/blob/33310d6154f344da5494c788451bd34cdf54711c/pkg/operators/v1alpha1/clusterserviceversion_types.go#L80). These cluster scoped permissions are required for the operator to run so OLM cannot remove them.
68+
69+
## Proposal
70+
71+
OLM recently introduced the [olmConfig resource](https://github.com/operator-framework/api/blob/33310d6154f344da5494c788451bd34cdf54711c/pkg/operators/v1/olmconfig_types.go#L40-L47) to provide users with the means to configure OLM behavior. This enhancement proposes three additional toggles to the [spec.features struct](https://github.com/operator-framework/api/blob/33310d6154f344da5494c788451bd34cdf54711c/pkg/operators/v1/olmconfig_types.go#L16-L26):
72+
```yaml
73+
// Features contains the list of configurable OLM features.
74+
type Features struct {
75+
76+
// DisableOLMAggregateCRDRoles allows users to disable the aggregate-olm-edit and aggregate-olm-view clusterroles that ship with OLM.
77+
//
78+
// Again, the jury is still out on whether or not this field is needed.
79+
DisableOLMAggregateCRDRoles *bool `json:"disableOLMAggregateCRDRoles,omitempty"`
80+
81+
// DisableAggregateCRDRoles is used to prevent OLM from generating
82+
// clusterRoles for CRDs it installs that are aggregated to the default
83+
// view, edit, and admins roles that are shipped with Kubernetes. OLM
84+
// creates these roles so users may immediately begin interacting with APIs
85+
// introduced by operators installed with OLM.
86+
DisableAggregateCRDRoles *bool `json:"disableAggregateCRDRoles,omitempty"`
87+
88+
// DisableAllNamespacePermissionPromotion prevents OLM from escalating
89+
// roles and roleBindings requested by an operator to clusterRole and
90+
// clusterRoleBindings respectively when OLM installs an operators into
91+
// a namespace that includes an operatorGroup with the AllNamespace
92+
// installMode.
93+
DisableAllNamespacePermissionPromotion *bool `json:"disableAllNamespacePermissionPromotion,omitempty"`
94+
}
95+
```
96+
97+
Let's discuss the design of each of these toggles:
98+
99+
### DisableOLMAggregateCRDRoles Toggle
100+
101+
The goal of this toggle is to provide cluster admins with the means to prevent OLM from creating aggregated `edit` and `view` roles for the CRDs and APIServices introduced by OLM.
102+
103+
To support this toggle, the `aggregate-olm-edit` and `aggregate-olm-view` will be removed from the manifests directory and instead the [olmConfig controller](https://github.com/operator-framework/operator-lifecycle-manager/blob/3002cf79ce867e32d30d2190df642eaa7f449294/pkg/controller/operators/olm/operator.go#L1249-L1314) will be updated to inspect the `olmConfig.Spec.DisableOLMAggregateCRDRoles` field and:
104+
- Ensure that the `aggregate-olm-edit` and `aggregate-olm-view` clusterRoles exist if the `DisableOLMAggregateCRDRoles` field in is `nil` or `false`.
105+
- Ensure that the `aggregate-olm-edit` and `aggregate-olm-view` clusterRoles do not exist if the field is `true`.
106+
107+
### DisableAggregateCRDRoles Toggle
108+
109+
The goal of this toggle is to provide cluster admins with the means to prevent OLM from creating aggregated `edit`, `view`, `crdview,` and `admin` for CRDs and APIServices introduced by managed operators.
110+
111+
To support this toggle, the [ensureClusterRolesForCRD](https://github.com/operator-framework/operator-lifecycle-manager/blob/3002cf79ce867e32d30d2190df642eaa7f449294/pkg/controller/operators/olm/operatorgroup.go#L418-L457) function should be updated to inspect the `olmConfig.Spec.DisableAggregateCRDRoles` field and:
112+
- Ensure that the `edit`, `view`, `crdview,` and `admin` roleBindings exist if the field is `nil` or `false`.
113+
- Ensure that the `edit`, `view`, `crdview`, and `admin` roleBindings do not exist if the field is `true`.
114+
115+
### DisableAllNamespacePermissionPromotion Toggle
116+
117+
The goal of this toggle is to provide cluster admins with the means to prevent OLM from promotion roles and roleBindings defined in a ClusterServiceVersion (CSV) to clusterRoles and clusterRoleBindings.
118+
119+
To support this toggle, the [ensureRBACInTargetNamespace](https://github.com/operator-framework/operator-lifecycle-manager/blob/3002cf79ce867e32d30d2190df642eaa7f449294/pkg/controller/operators/olm/operatorgroup.go#L483-L484) function should be updated to inspect the `olmConfig.Spec.DisableAllNamespacePermissionPromotion` field and:
120+
- Ensure that the `permissions` are promoted to `clusterPermissions` when the field is set to `nil` or `false`.
121+
- Ensure that the `permissions` are not promoted to `clusterPermissions` when the field is set to `true`.
122+
123+
### User Stories [optional]
124+
#### Story 1
125+
126+
As a cluster admin, I would like to be able to remove the view and edit aggregate roles that OLM creates for the APIs it introduces so only a select number of users can interact with OLM.
127+
128+
#### Story 2
129+
130+
As a cluster admin, I would like to be able to configure OLM so it does not create the `edit`, `view`, `crdview,` and `admin` aggregate roleBindings for the CRDs of operators it installs.
131+
132+
#### Story 2
133+
134+
As a cluster admin, I would like to be able to configure OLM so it does not promote roles and roleBindings defined in a CSV's `spec.permissions` field to clusterRole and clusterRoleBindings respectively so I may have greater control over the RBAC generated for each operator.
135+
136+
### Implementation Details/Notes/Constraints [optional]
137+
138+
139+
After disabling OLM's promotion of a CSV's `permissions` to `clusterPermissions` through the `DisableAllNamespacePermissionPromotion` toggle, the cluster admin will need to complete a few manual steps for each operator installed ath the cluster level.
140+
141+
142+
#### Namespaced RBAC Generation
143+
144+
The cluster admin will need to manually create the roles and roleBindings in each of the namespaces they want to "scope" the operator to.
145+
146+
While this could be done manually, it may be helpful to provide support for packaging [combo](https://github.com/operator-framework/combo) or providing the steps to using the combo cli to generate the roles and roleBindings for a list of namespaces from a CSV.
147+
148+
#### Handling events from Informers
149+
150+
Operator clients are created today with informers that are configured to watch for events in specific or all namespaces at startup, there is no dynamic informer that exists. Typically, informers used by operators are appropriately scoped to the correct namespaces using the `WATCH_NAMESPACE` environment variable. Operators managed by OLM set the value of this environment variable by referencing the 'olm.targetNamespaces` annotation on the CSV, which in turn is set by OLM based on the targetNamespaces defined by the operatorGroup in the namespace.
151+
152+
The cluster admin will need to override the CSV's `WATCH_NAMESPACE` environment variable through the `Subscription's spec.config.env` field, to include the set of namespaces they want the operator to operator in. Failure to address this concern will result in the operator receiving events from namespaces in which the operator does not have the appropriate RBAC permissions.
153+
154+
### Risks and Mitigations
155+
156+
### Impact on Copied CSVs
157+
158+
Historically, OLM has relied on [copied CSVs](https://olm.operatorframework.io/docs/concepts/crds/operatorgroup/#copied-csvs) to communicate to users which operators are available in a given namespace. At a high level, whenever OLM installs an operator in a namespace, a lightweight copy of the CSV is created in each of the targetNamespaces defined by the operatorGroup in the namespace.
159+
160+
By allowing cluster admins to disable OLM's promotion of RBAC requested by an operator [Copied CSVs](https://olm.operatorframework.io/docs/concepts/crds/operatorgroup/#copied-csvs) there is a chance that the operator will not have the RBAC required to reconcile events in a given namespace, providing users a confusing experience.
161+
162+
It may be useful to recommend that users [disable copied CSVs](https://olm.operatorframework.io/docs/advanced-tasks/configuring-olm/#disabling-copied-csvs) when disabling RBAC generation.
163+
164+
### Impact on OpenShift Console
165+
166+
The [OpenShift Console](https://github.com/openshift/console) project makes a few assumptions on Operator scope based on the OperatorGroup in its namespace. By allowing cluster admins to disable OLM's promotion of RBAC requested by an operator, the UI will incorrectly inform users that an operator is available in a given namespace, yielding a bad user experience. As such, this feature must make it clear to users that it renders parts of the UI invalid.
167+
168+
## Design Details
169+
170+
### Test Plan
171+
172+
The following testcases should be implemented as a part of this enhancement:
173+
- Setting the `cluster olmConfig` resource's `spec.features.disableOLMAggregateCRDRoles` to `true` removes the `aggregate-olm-edit` and `aggregate-olm-view` clusterRoles from the cluster.
174+
- Setting the `cluster olmConfig` resource's `spec.features.disableAggregateCRDRoles` to `true` prevents OLM from creating `edit`, `view`, `crdview,` and `admin` roleBindings for CRDs and APIServices introduced by the CSVs.
175+
- Setting the `cluster olmConfig` resource's `spec.features.disableAllNamespacePermissionPromotion` to `true` prevents OLM from converting roles and roleBindings defined in a CSV's `spec.permissions` field to clusterRoles and clusterRoleBindings respectively.
176+
177+
### Prototype Demo [optional]
178+
179+
A proof of concept implementation highlighting the `disableAggregateCRDRoles` and `disableAllNamespacePermissionPromotion` toggles can be found [here](https://github.com/awgreene/operator-lifecycle-manager/tree/rbac-toggle-demo).
180+
181+
### Graduation Criteria
182+
183+
Straight to GA.
184+
185+
#### Examples
186+
187+
Not applicable.
188+
189+
##### Dev Preview -> Tech Preview
190+
191+
Straight to GA.
192+
193+
##### Tech Preview -> GA
194+
195+
Straight to GA.
196+
197+
##### Removing a deprecated feature
198+
199+
Not applicable.
200+
201+
### Upgrade / Downgrade Strategy
202+
203+
If OLM is downgraded the proposed changes to the API will be lost and OLM may begin generating RBAC for the operators that were created. As such, the OLM team should investigate:
204+
205+
- How OLM can prevent cluster downgrades.
206+
- How we could communicate the potential damage to customers if they initiate a downgrade after utilizing this feature.
207+
208+
### Version Skew Strategy
209+
210+
The is feature does not depend on other projects and uses existing APIs, as such there is little concern regarding the version of other components.
211+
212+
## Implementation History
213+
214+
Not applicable.
215+
216+
## Drawbacks
217+
218+
The goal of this enhancement is to provide cluster admins with greater control over the RBAC that OLM generates on cluster. Providing cluster admin's with the means to disable OLM's RBAC generation naturally places a greater burden on cluster admins to manage RBAC as they install new operators. There are a number of existing processes that become more tedious when RBAC generation is enabled, to name a few:
219+
220+
- The cluster admin must keep track of the namespaces that include the roles and roleBindings required by the operator. If the cluster admin wants to extend the scope of the operator to additional namespaces, they would need to create additional RBAC in said namespaces.
221+
- The cluster admin must keep the `WATCHED_NAMESPACES` environment variable up to date, otherwise the informer will either:
222+
-- Receive events from namespaces that it lacks the appropriate RBAC.
223+
-- Not Receive events from namespaces that it has the appropriate RBAC.
224+
## Alternatives
225+
226+
### Multi Namespace Cluster Singletons
227+
228+
A core requirements of this enhancement is to prevent OLM from promoting roles/roleBindings defined in a CSV's permissions to clusterRoles and clusterRoleBindings respectively when installing an operator in AllNamespace mode. Instead of disabling RBAC promotion by OLM, we could instead add a feature that treats MultiNamespace operatorGroups as cluster singletons, which would remove the need to modify the list of namespaces that an operator is configured to watch.
229+
230+
Unfortunately, OLM has been directing operator authors to use the AllNamespace installMode, which means that some subset of operator may not even support the MultiNamespace installMode.
231+
232+
## Infrastructure Needed [optional]
233+
234+
Not applicable.
235+

0 commit comments

Comments
 (0)