Drop the use of nonexisting groups in kubernetes infrastructure_users
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	JMeybohm
	Sep 14 2021, 12:21 PM

Description

We currently have a lot of users in profile::kubernetes::master::infrastructure_users: (private puppet) referring to groups that don't actually exist ("deploy" and "calico").

In Kubernetes, groups (apart from default groups that start with system:) "arise" from ClusterRoleBinding or RoleBinding objects with a subjects referring to them, e.g.:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: api-metrics
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: api-metrics
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: api-metrics

While there will not be an Group API object, the reference to a Group named api-metrics allows for users in the token file [1] to use that group and be granted permissions according to the above ClusterRoleBinding (that is, those of the ClusterRole api-metrics).

That said, we don't have such Bindings for "deploy" or "calico" and so we should remove those groups from the users to not cause further confusion.

If someone wants a list of "groups available in the cluster", that can be generated by something like: https://wikitech.wikimedia.org/wiki/Kubernetes/Kubectl/Cheat_Sheet#List_all_RBAC_%22Groups%22_referenced_in_the_cluster

[1] https://people.wikimedia.org/~jayme/k8s-docs/v1.16/docs/reference/access-authn-authz/authentication/#static-token-file

Details

	Subject	Repo	Branch	Lines +/-
	kubernetes: Remove infrastructure_users static token file	operations/puppet	production	+0 -2
	kubernetes: Remove infrastructure_users static token file	operations/puppet	production	+5 -71

Customize query in gerrit

Related Objects
Search...

Status	Assigned	Task
Resolved	JMeybohm	T307943 Update Kubernetes clusters to v1.23
Resolved	JMeybohm	T328291 Post Kubernetes v1.23 cleanup
Resolved	JMeybohm	T290963 Drop the use of nonexisting groups in kubernetes infrastructure_users

Event Timeline

JMeybohm triaged this task as Low priority.Sep 14 2021, 12:21 PM

JMeybohm created this task.

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 14 2021, 12:21 PM

JMeybohm updated the task description. (Show Details)Sep 14 2021, 12:22 PM

Thanks for looking this up!

I like the idea of dropping the unused groups deploy and calico. I checked the RoleBindings and ClusterRoleBindings and can only find bindings for the groups api-metrics, view and multiple system: groups.

This also matches my experience from RBAC refactoring for helm3. The group deploy had no effect on the actual permissions.

I've invented another group imagecatalog which is not used in RBAC roles. But I wanted to prevent having the users added to the deploy group (which is what we do currently if the user has no group set).

+1 on removing deploy, calico groups since they are unused. I am not sure that the imagecatalog group is for though?

In T290963#7574636, @akosiaris wrote:

+1 on removing deploy, calico groups since they are unused. I am not sure that the imagecatalog group is for though?

Just a dummy to prevent the imagecatalog user from being granted deployer rights (as we currently add deploy as default group in the infrastructure_users template. Can absolutely be removed when that default is gone.

In T290963#7574645, @JMeybohm wrote:

In T290963#7574636, @akosiaris wrote:

+1 on removing deploy, calico groups since they are unused. I am not sure that the imagecatalog group is for though?

Just a dummy to prevent the imagecatalog user from being granted deployer rights (as we currently add deploy as default group in the infrastructure_users template. Can absolutely be removed when that default is gone.