Giters

kubernetes-sigs / secrets-store-csi-driver

Secrets Store CSI driver for Kubernetes secrets - Integrates secrets stores with Kubernetes via a CSI volume.

Home Page:https://secrets-store-csi-driver.sigs.k8s.io/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Aggregated cluster roles for view access to SecretProviderClassPodStatus

erikgb opened this issue · comments

commented

Describe the solution you'd like
[A clear and concise description of what you want to happen.]

Use case: As a regular namespace user I would like to track the binding between a pod and SecretProviderClass (SecretProviderClassPodStatus). Access to the status resource currently requires cluster-admin role or custom RBAC. I think secrets-store-csi-driver should by default allow view access to aggregates cluster roles: view, edit, admin and cluster-reader.

Anything else you would like to add:
[Miscellaneous information that will assist in solving the issue.]

Aggregated cluster roles for SecretProviderClass were added in #836, but I don't understand why this wasn't fixed for SecretProviderClassPodStatus at the same time....

Environment:

  • Secrets Store CSI Driver version: (use the image tag): N/A
  • Kubernetes version: (use kubectl version): N/A
commented

This is what I think should be provisioned by default:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  labels:
    rbac.authorization.k8s.io/aggregate-to-view: "true"
    rbac.authorization.k8s.io/aggregate-to-edit: "true"
    rbac.authorization.k8s.io/aggregate-to-admin: "true"
    rbac.authorization.k8s.io/aggregate-to-cluster-reader: "true"
  name: secretproviderclasspodstatuses-viewer
rules:
  - apiGroups:
      - secrets-store.csi.x-k8s.io
    resources:
      - secretproviderclasspodstatuses
    verbs:
      - get
      - list
      - watch