Skip to content

RBAC: predefined k8s cluster roles (view, edit, admin) give no access to emissary objects #5832

New issue
New issue
Open
Open
RBAC: predefined k8s cluster roles (view, edit, admin) give no access to emissary objects#5832
Labels
t:bugSomething isn't working
@atykhyy

Description

@atykhyy
atykhyy
opened on Apr 3, 2025

Kubernetes RBAC predefines the cluster admin cluster role, which has access to everything, and three cluster roles (view, edit, admin) which have permissions spelled out. Additional permissions are aggregated into these roles using labels. Currently, installing emissary CRDs does not add permissions to read or modify objects described by those CRDs to predefined cluster roles (unlike e.g. certmanager CRDs). Accordingly, using these roles, e.g. to give a CI runner permissions to upgrade a helm chart that includes emissary objects with a role binding like one shown below, does not work (Kubernetes API requests fail with 403 Forbidden).

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: github-workflows
  namespace: dev
subjects:
- kind: User
  name: "<<github_workflows_user_spn>>"
  namespace: dev
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: admin

The following definitions, modeled on cert-manager's, fixed the situation for me:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  labels:
    rbac.authorization.k8s.io/aggregate-to-admin: "true"
    rbac.authorization.k8s.io/aggregate-to-edit: "true"
  name: emissary-ingress-edit
rules:
- apiGroups: ["getambassador.io"]
  resources:
  - authservices
  - consulresolvers
  - devportals
  - hosts
  - kubernetesendpointresolvers
  - kubernetesserviceresolvers
  - listeners
  - logservices
  - mappings
  - modules
  - ratelimitservices
  - tcpmappings
  - tlscontexts
  - tracingservices
  verbs: ["create","delete","deletecollection","patch","update"]
- apiGroups: ["getambassador.io"]
  resources:
  - hosts/status
  - listeners/status
  - mappings/status
  verbs: ["update"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  labels:
    rbac.authorization.k8s.io/aggregate-to-admin: "true"
    rbac.authorization.k8s.io/aggregate-to-cluster-reader: "true"
    rbac.authorization.k8s.io/aggregate-to-edit: "true"
    rbac.authorization.k8s.io/aggregate-to-view: "true"
  name: emissary-ingress-view
rules:
- apiGroups: ["getambassador.io"]
  resources:
  - authservices
  - consulresolvers
  - devportals
  - hosts
  - kubernetesendpointresolvers
  - kubernetesserviceresolvers
  - listeners
  - logservices
  - mappings
  - modules
  - ratelimitservices
  - tcpmappings
  - tlscontexts
  - tracingservices
  verbs: ["get","list","watch"]

Metadata

Metadata

Assignees

No one assigned

    Labels

    t:bugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions