Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FEATURE] Enhance RBAC security #1977

Open
ChenYi015 opened this issue Apr 16, 2024 · 0 comments
Open

[FEATURE] Enhance RBAC security #1977

ChenYi015 opened this issue Apr 16, 2024 · 0 comments
Labels
enhancement New feature or request

Comments

@ChenYi015
Copy link
Contributor

Community Note

  • Please vote on this issue by adding a 馃憤 [reaction](https://blog.github.com/2016-03-10-add-reactions-to-pull-requests-issues-and-comments/) to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

What is the outcome that you are trying to reach?

  1. Adhering to the principle of least privilege is a best practice in Kubernetes RBAC. Spark operator now has a ClusterRole with overly board permissions which can lead to security risks:

spark-operator/charts/spark-operator-chart/templates/rbac.yaml

Lines 66 to 84 in 6ded3ac

- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- create
- get
- update
- delete
- apiGroups:
- admissionregistration.k8s.io
resources:
- mutatingwebhookconfigurations
- validatingwebhookconfigurations
verbs:
- create
- get
- update
- delete

  1. As descriped in Uninstall the chart cannot delete all kubernetes resources associated with that release聽#1959, the resources cannot be deleted completely after uninstalling the chart, because the RBAC resources are created by Helm hooks.

Describe the solution you would like

  • Create a ClusterRole for the Spark operator in the release namespace, and create a Role in every namespace where Spark applications are deployed. The ClusterRole should grant permissions to cluster scoped resources such as Node and Lease, while the Role should grant permissions for namespaced resources like SparkApplication, Pod, ConfigMap, and Event.

  • The RBAC resources for the spark operator should managed by helm, not helm hooks.

  • Create a ServiceAccount, ClusterRole, and Role specifically for the Spark operator webhook. These should be created by Helm pre-install and pre-upgrade hooks, and should be deleted after the completion of these hooks.

  • MutatingWebhookConfiguration and ValidatingWebhookConfiguration should be managed by Helm hooks, not spark operator.

Describe alternatives you have considered

Additional context
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Use cert-manager to manage certificates and enhance RBAC security ChenYi015/spark-operator
1 participant
@ChenYi015