From 7cf2a5da0d2e321bc0567dcb0e1690e9ed51866d Mon Sep 17 00:00:00 2001 From: Staffan Olsson Date: Sat, 5 Aug 2017 05:28:56 +0200 Subject: [PATCH 1/9] RBAC rights are purely additive so ... a project like kubernetes-kafka should keep them minimal. To access nodes we do need ClusterRole instead of Role. --- rbac-namespace-default/node-reader.yml | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 rbac-namespace-default/node-reader.yml diff --git a/rbac-namespace-default/node-reader.yml b/rbac-namespace-default/node-reader.yml new file mode 100644 index 00000000..50541827 --- /dev/null +++ b/rbac-namespace-default/node-reader.yml @@ -0,0 +1,26 @@ +# For kubectl get node, required for kafka init container rack awareness +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: node-reader +rules: + - apiGroups: + - "" + resources: + - nodes + verbs: + - get +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: kafka-node-reader +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: node-reader +subjects: +- kind: ServiceAccount + name: default + namespace: kafka From 05107fd5ab40846517c3539310cfe29c4f2b2e5e Mon Sep 17 00:00:00 2001 From: Staffan Olsson Date: Sat, 5 Aug 2017 05:31:00 +0200 Subject: [PATCH 2/9] I don't really care, but which yaml indentation is winning? --- rbac-namespace-default/node-reader.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/rbac-namespace-default/node-reader.yml b/rbac-namespace-default/node-reader.yml index 50541827..3a133a80 100644 --- a/rbac-namespace-default/node-reader.yml +++ b/rbac-namespace-default/node-reader.yml @@ -5,12 +5,12 @@ apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: node-reader rules: - - apiGroups: - - "" - resources: - - nodes - verbs: - - get +- apiGroups: + - "" + resources: + - nodes + verbs: + - get --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1beta1 From a8ee55bb48a4915b2f119b0f409e7e714d9faf55 Mon Sep 17 00:00:00 2001 From: Staffan Olsson Date: Sat, 5 Aug 2017 05:45:29 +0200 Subject: [PATCH 3/9] With default service account curl works again fixes https://github.com/Yolean/kubernetes-kafka/pull/39 --- rbac-namespace-default/events-watcher.yml | 26 +++++++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 rbac-namespace-default/events-watcher.yml diff --git a/rbac-namespace-default/events-watcher.yml b/rbac-namespace-default/events-watcher.yml new file mode 100644 index 00000000..6194e845 --- /dev/null +++ b/rbac-namespace-default/events-watcher.yml @@ -0,0 +1,26 @@ +# For kubectl get node, required for kafka init container rack awareness +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: events-watcher +rules: +- apiGroups: + - "" + resources: + - events + verbs: + - watch +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: kafka-events-watcher +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: events-watcher +subjects: +- kind: ServiceAccount + name: default + namespace: kafka From 35974266ae938856f3a254b12308b1a99e67e5e7 Mon Sep 17 00:00:00 2001 From: Staffan Olsson Date: Sat, 5 Aug 2017 05:53:02 +0200 Subject: [PATCH 4/9] Got the feeling from kubectl get clusterrole ... that having access control rules, in particular cluster scoped, lying around without knowing where they come from will be unmaintainable over time. Labels show up nicely in describe. --- rbac-namespace-default/events-watcher.yml | 4 ++++ rbac-namespace-default/node-reader.yml | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/rbac-namespace-default/events-watcher.yml b/rbac-namespace-default/events-watcher.yml index 6194e845..3b2e76d8 100644 --- a/rbac-namespace-default/events-watcher.yml +++ b/rbac-namespace-default/events-watcher.yml @@ -4,6 +4,8 @@ kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: events-watcher + labels: + origin: github.com_Yolean_kubernetes-kafka rules: - apiGroups: - "" @@ -16,6 +18,8 @@ kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: kafka-events-watcher + labels: + origin: github.com_Yolean_kubernetes-kafka roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole diff --git a/rbac-namespace-default/node-reader.yml b/rbac-namespace-default/node-reader.yml index 3a133a80..04545793 100644 --- a/rbac-namespace-default/node-reader.yml +++ b/rbac-namespace-default/node-reader.yml @@ -4,6 +4,8 @@ kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: node-reader + labels: + origin: github.com_Yolean_kubernetes-kafka rules: - apiGroups: - "" @@ -16,6 +18,8 @@ kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: kafka-node-reader + labels: + origin: github.com_Yolean_kubernetes-kafka roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole From 8f637b7385ce3d1e4737fdb8c34801f10e49b2ae Mon Sep 17 00:00:00 2001 From: Staffan Olsson Date: Sat, 5 Aug 2017 06:10:47 +0200 Subject: [PATCH 5/9] Recommends that you create rbac --- README.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/README.md b/README.md index 9853d12e..e0cdf911 100644 --- a/README.md +++ b/README.md @@ -52,6 +52,13 @@ For clients we tend to use [librdkafka](https://github.com/edenhill/librdkafka)- To use [Kafka Connect](http://kafka.apache.org/documentation/#connect) and [Kafka Streams](http://kafka.apache.org/documentation/streams/) you may want to take a look at our [sample](https://github.com/solsson/dockerfiles/tree/master/connect-files) [Dockerfile](https://github.com/solsson/dockerfiles/tree/master/streams-logfilter)s. Don't forget the [addon](https://github.com/Yolean/kubernetes-kafka/labels/addon)s. +## RBAC + +For clusters that enfoce [RBAC](https://kubernetes.io/docs/admin/authorization/rbac/) there's a minimal set of policies in +``` +kubectl apply -f rbac-namespace-default/ +``` + # Tests ``` From 27421fb58b902e595adcf062857a369485cc91cf Mon Sep 17 00:00:00 2001 From: Staffan Olsson Date: Sat, 5 Aug 2017 06:11:06 +0200 Subject: [PATCH 6/9] Shows how to see that you need rbac, but makes readme heavier --- README.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/README.md b/README.md index e0cdf911..c9e6c591 100644 --- a/README.md +++ b/README.md @@ -59,6 +59,15 @@ For clusters that enfoce [RBAC](https://kubernetes.io/docs/admin/authorization/r kubectl apply -f rbac-namespace-default/ ``` +For example here's how you see that `kafka`s init containers need RBAC for [rack awareness](https://github.com/Yolean/kubernetes-kafka/pull/41): +``` +$ kubectl exec kafka-1 -- cat /etc/kafka/server.properties | grep broker.rack +#init#broker.rack=# zone lookup failed, see -c init-config logs +$ kubectl logs -c init-config kafka-0 +++ kubectl get node some-node '-o=go-template={{index .metadata.labels "failure-domain.beta.kubernetes.io/zone"}}' +Error from server (Forbidden): User "system:serviceaccount:kafka:default" cannot get nodes at the cluster scope.: "Unknown user \"system:serviceaccount:kafka:default\"" +``` + # Tests ``` From 1c6b7bb2866ab531ddaa55c0bed538ae9bd73a40 Mon Sep 17 00:00:00 2001 From: Staffan Olsson Date: Sat, 5 Aug 2017 06:15:18 +0200 Subject: [PATCH 7/9] Addons can maintain their policies, so moving this to https://github.com/Yolean/kubernetes-kafka/pull/39 --- rbac-namespace-default/events-watcher.yml | 30 ----------------------- 1 file changed, 30 deletions(-) delete mode 100644 rbac-namespace-default/events-watcher.yml diff --git a/rbac-namespace-default/events-watcher.yml b/rbac-namespace-default/events-watcher.yml deleted file mode 100644 index 3b2e76d8..00000000 --- a/rbac-namespace-default/events-watcher.yml +++ /dev/null @@ -1,30 +0,0 @@ -# For kubectl get node, required for kafka init container rack awareness ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1beta1 -metadata: - name: events-watcher - labels: - origin: github.com_Yolean_kubernetes-kafka -rules: -- apiGroups: - - "" - resources: - - events - verbs: - - watch ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1beta1 -metadata: - name: kafka-events-watcher - labels: - origin: github.com_Yolean_kubernetes-kafka -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: events-watcher -subjects: -- kind: ServiceAccount - name: default - namespace: kafka From 79d65fd2e35b29df9cc936ceba3e4b4a1c151201 Mon Sep 17 00:00:00 2001 From: Staffan Olsson Date: Sat, 5 Aug 2017 06:28:56 +0200 Subject: [PATCH 8/9] Details will live in the respective policies --- README.md | 9 --------- rbac-namespace-default/node-reader.yml | 9 ++++++++- 2 files changed, 8 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index c9e6c591..e0cdf911 100644 --- a/README.md +++ b/README.md @@ -59,15 +59,6 @@ For clusters that enfoce [RBAC](https://kubernetes.io/docs/admin/authorization/r kubectl apply -f rbac-namespace-default/ ``` -For example here's how you see that `kafka`s init containers need RBAC for [rack awareness](https://github.com/Yolean/kubernetes-kafka/pull/41): -``` -$ kubectl exec kafka-1 -- cat /etc/kafka/server.properties | grep broker.rack -#init#broker.rack=# zone lookup failed, see -c init-config logs -$ kubectl logs -c init-config kafka-0 -++ kubectl get node some-node '-o=go-template={{index .metadata.labels "failure-domain.beta.kubernetes.io/zone"}}' -Error from server (Forbidden): User "system:serviceaccount:kafka:default" cannot get nodes at the cluster scope.: "Unknown user \"system:serviceaccount:kafka:default\"" -``` - # Tests ``` diff --git a/rbac-namespace-default/node-reader.yml b/rbac-namespace-default/node-reader.yml index 04545793..62669cde 100644 --- a/rbac-namespace-default/node-reader.yml +++ b/rbac-namespace-default/node-reader.yml @@ -1,4 +1,11 @@ -# For kubectl get node, required for kafka init container rack awareness +# To see if init containers need RBAC: +# +# $ kubectl exec kafka-1 -- cat /etc/kafka/server.properties | grep broker.rack +# #init#broker.rack=# zone lookup failed, see -c init-config logs +# $ kubectl logs -c init-config kafka-0 +# ++ kubectl get node some-node '-o=go-template={{index .metadata.labels "failure-domain.beta.kubernetes.io/zone"}}' +# Error from server (Forbidden): User "system:serviceaccount:kafka:default" cannot get nodes at the cluster scope.: "Unknown user \"system:serviceaccount:kafka:default\"" +# --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1beta1 From 13520a6f495fc59d4901c9e39eb3498598a5e1ee Mon Sep 17 00:00:00 2001 From: Staffan Olsson Date: Sat, 5 Aug 2017 06:30:25 +0200 Subject: [PATCH 9/9] Moved to its PR, multizone-rack-awareness --- rbac-namespace-default/node-reader.yml | 37 -------------------------- 1 file changed, 37 deletions(-) delete mode 100644 rbac-namespace-default/node-reader.yml diff --git a/rbac-namespace-default/node-reader.yml b/rbac-namespace-default/node-reader.yml deleted file mode 100644 index 62669cde..00000000 --- a/rbac-namespace-default/node-reader.yml +++ /dev/null @@ -1,37 +0,0 @@ -# To see if init containers need RBAC: -# -# $ kubectl exec kafka-1 -- cat /etc/kafka/server.properties | grep broker.rack -# #init#broker.rack=# zone lookup failed, see -c init-config logs -# $ kubectl logs -c init-config kafka-0 -# ++ kubectl get node some-node '-o=go-template={{index .metadata.labels "failure-domain.beta.kubernetes.io/zone"}}' -# Error from server (Forbidden): User "system:serviceaccount:kafka:default" cannot get nodes at the cluster scope.: "Unknown user \"system:serviceaccount:kafka:default\"" -# ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1beta1 -metadata: - name: node-reader - labels: - origin: github.com_Yolean_kubernetes-kafka -rules: -- apiGroups: - - "" - resources: - - nodes - verbs: - - get ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1beta1 -metadata: - name: kafka-node-reader - labels: - origin: github.com_Yolean_kubernetes-kafka -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: node-reader -subjects: -- kind: ServiceAccount - name: default - namespace: kafka