ChaosNetwork Experiment Permission/Validation_Webhook Issue

[ugur99]

Bug Report

What version of Kubernetes are you using?

v1.25.10

What version of Chaos Mesh are you using?

v2.6.2

What did you do? / Minimal Reproducible Example

As a platform team, we want to provide Chaos-Mesh as a service to our developer teams with limited privileges.

But we noticed that if a user wants to create a ChaosNetwork-Delay, not only do they need permissions in the their namespace, but also in the other related namespace as well even though its a one-way experiment (from backend-test namespace to some-other-namespace-managed-by-other-team). Otherwise experiment request is denied by the auth validation webhook and webhook is checking for create/update privileges for all chaos-mesh resources on both namespaces I guess.

error message

error.api.internal_server_error: admission webhook "vauth.kb.io" denied the request: <user> is forbidden on namespace ingress-nginx

But lets say for ChaosNetwork-Delay experiment; isn't it enough to define for only create/update priv on podnetworkchaos.chaos-mesh.org resource for the spec.target.selector.namespaces (in that case it is ingress-nginx namespace) ? We observed chaos-daemon logs and chaos-mesh events in the both namespaces; and as far as we see on the ingress-nginx namespace it only creates and updates the podnetworkchaos.chaos-mesh.org resource.

NetworkChaos experiment -->

kind: NetworkChaos
apiVersion: chaos-mesh.org/v1alpha1
metadata:
  namespace: backend-test
  name: platform-test-1
spec:
  selector:
    namespaces:
      - backend-test
    labelSelectors:
      app: backend-test
  mode: all
  action: delay
  duration: 6s
  delay:
    latency: 3s
    correlation: '0'
    jitter: '0'
  direction: to
  target:
    selector:
      namespaces:
        - ingress-nginx
      labelSelectors:
        app.kubernetes.io/instance: ingress
    mode: one

giving the following priv. to the user in ingress-nginx namespace solves this validation webhook problem (since admission webhooks are applied in lexical order; maybe we saw last failed one)

- apiGroups:
  - chaos-mesh.org
  resources:
  - networkchaos
  - podnetworkchaos
  verbs:
  - "*"

But we want to give the following because we want to allow only one direction networkchaos experiment; but it gives the webhook error that I shared above

- apiGroups:
  - chaos-mesh.org
  resources:
  - podnetworkchaos
  verbs:
  - "*"

What did you expect to see?
if possible; to be able to allow only one direction networkchaos experiment between two different namespaces; and do not give users more privileges for the target namespace.
What did you see instead?
If we want to perform some networkchaos experiment between two namespaces (only for one direction); we have to have same privileges on both namespaces.
Output of chaosctl