CNF-16428: gitops: Reduce ArgoCD ClusterRole with minimal privilege#111
CNF-16428: gitops: Reduce ArgoCD ClusterRole with minimal privilege#111leo8a wants to merge 3 commits intoopenshift-kni:mainfrom
Conversation
|
@leo8a: This pull request references CNF-16428 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.19.0" version, but no target version was set. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
/hold doing some more testing |
openshift-ci
bot
added
the
do-not-merge/hold
leo8a
force-pushed
the
gitops-minimal-clusterrole
branch
from
a761dcf to
7b5dffe
Compare
|
/unhold Ready for review |
openshift-ci
bot
removed
the
do-not-merge/hold
|
These get copied over from the telco-ran reference. We should update them there at the same time so that a future sync between the two doesn't overwrite these. |
| labels: | ||
| rbac.authorization.k8s.io/aggregate-to-ocm-cluster-manager-admin: "true" | ||
| rules: | ||
| - apiGroups: |
There was a problem hiding this comment.
Shouldn't we also grant permission to Secrets and ConfigMaps at least?
Also, I'm wondering why list, get, watch were not included for the ClusterInstance. 🤔
There was a problem hiding this comment.
hey Irina, thanks for your ping
Shouldn't we also grant permission to Secrets and ConfigMaps at least?
IIRC those resources are accessed using the openshift-gitops-openshift-gitops-argocd-application-controller ClusterRole (installed by default as part of the ArgoCD operator)
Also, I'm wondering why list, get, watch were not included for the ClusterInstance. 🤔
I'll add those verbs also to the list
There was a problem hiding this comment.
/hold
In any case, I'm holding this PR for now, I want to run a couple of new tests, given that it has been a while since I validated this.
There was a problem hiding this comment.
Coming back to your questions:
Shouldn't we also grant permission to Secrets and ConfigMaps at least?
Also, I'm wondering why list, get, watch were not included for the ClusterInstance. 🤔
The ClusterRole/openshift-gitops-openshift-gitops-argocd-application-controller (installed by default with Argo CD) already grants full ([*]) access to configmaps:
configmaps [] [] [*]
It also includes a wildcard rule:
*.* [] [] [get list watch]
This provides read-only access (get, list, watch) to any resource in any API group—including custom resources like ClusterInstance. So technically, explicit permissions for ClusterInstance aren't required in this case. However, I'm happy to add them explicitly if that helps make the access rules clearer or easier to audit.
On the other hand, access to secrets is not included in the Argo CD ClusterRole above, but it is granted via the ClusterRole/open-cluster-management:cluster-manager-admin (installed by default with ACM):
-> oc describe ClusterRole/open-cluster-management:cluster-manager-admin | grep secrets
secrets [] [] [create get list watch update delete deletecollection patch]
There was a problem hiding this comment.
Thanks, @leo8a. I think a comment would also be helpful, to clear things up a bit since the permissions are spread out between multiple ClusterRoles.
There was a problem hiding this comment.
done, I've added comments explaining how the permissions are spread out between multiple ClusterRoles... hopefully helpful for folks in the future.
There was a problem hiding this comment.
That's great, @leo8a. Given that this is a reference configuration, having as much information as possible is extremely valuable. Thank you!
openshift-ci
bot
added
the
do-not-merge/hold
leo8a
force-pushed
the
gitops-minimal-clusterrole
branch
2 times, most recently
from
ccd540c to
5b63da2
Compare
leo8a
force-pushed
the
gitops-minimal-clusterrole
branch
2 times, most recently
from
14b3e02 to
2b853cb
Compare
|
/unhold PTAL |
openshift-ci
bot
removed
the
do-not-merge/hold
leo8a
force-pushed
the
gitops-minimal-clusterrole
branch
from
2b853cb to
992997c
Compare
.../configuration/reference-crs/required/gitops/ztp-installation/gitops-policy-rolebinding.yaml
Outdated
Show resolved
Hide resolved
telco-ran/configuration/argocd/deployment/gitops-policy-rolebinding.yaml
Outdated
Show resolved
Hide resolved
|
Just 2 minor comments. |
leo8a
force-pushed
the
gitops-minimal-clusterrole
branch
from
992997c to
937854b
Compare
|
/hold |
openshift-ci
bot
added
the
do-not-merge/hold
|
@irinamihai asked me to have a look at this. Argo CD will typically require view all permissions on the cluster but I do not see it being changed here. Any plans to reduce those permissions and couple that change with either resourceExclusion or the auto respect RBAC feature in Argo CD? |
|
Hey @gnunn1, thanks for taking a look.
Not in the scope of this PR. We are just targeting to reduce the permissions granted during the Initial Phase of the GitOps ZTP workflow for Telco (see cluster and gitops ClusterRoleBindings currently assigned). That said, I agree that tightening Argo CD’s access (possibly in conjunction with |
|
/rebasing due to conflicts merged to main |
leo8a
force-pushed
the
gitops-minimal-clusterrole
branch
from
937854b to
cead88e
Compare
|
/unhold |
openshift-ci
bot
removed
the
do-not-merge/hold
The current cluster-admin ClusterRole assigned to ArgoCD in Hub clusters grants excessive permissions that are not necessary for its intended functionality. By adopting a minimal privilege ClusterRole, we align with the Principle of Least Privilege, reducing the attack surface and limiting access to only the required resources. This minimizes the potential for accidental misuse, privilege escalation, or unauthorized access in the event of a compromise. Signed-off-by: Leonardo Ochoa-Aday <lochoa@redhat.com>
Since this dir is the canonical source for files in telco-hub ztp-installation, I'm copying the files also here. Signed-off-by: Leonardo Ochoa-Aday <lochoa@redhat.com>
…ct filename - Change "ZTP Role Bindings:" to "ZTP Roles and Bindings:" in SYNC-WAVES.md - Update file reference from gitops-cluster-rolebinding.yaml to gitops-cluster-clusterrole.yaml - Update compare_ignore to match the corrected filename This ensures documentation accurately reflects the actual ClusterRole resource rather than a ClusterRoleBinding. Signed-off-by: Leonardo Ochoa-Aday <lochoa@redhat.com>
leo8a
force-pushed
the
gitops-minimal-clusterrole
branch
from
cead88e to
f1acbae
Compare
|
New changes are detected. LGTM label has been removed. |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: leo8a The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
|
hey there, so many changes in both (telco-hub and telco-ran) since this was last reviewed, had to rebase to pick up the new changes and adjust the proposed ones. |
6 participants
The current cluster-admin ClusterRole assigned to ArgoCD in Hub clusters grants excessive permissions that are not necessary for its intended functionality. By adopting a minimal privilege ClusterRole, we align with the Principle of Least Privilege, reducing the attack surface and limiting access to only the required resources. This minimizes the potential for accidental misuse, privilege escalation, or unauthorized access in the event of a compromise.
/cc @imiller0 @yuvalk @sabbir-47