Skip to content

✨ auth: use synthetic user/group when service account is not defined #1816

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 13 commits into from
May 14, 2025
Merged

✨ auth: use synthetic user/group when service account is not defined #1816

merged 13 commits into from
May 14, 2025

Conversation

joelanford
Copy link
Member

@joelanford joelanford commented Feb 26, 2025
edited by perdasilva
Loading

Description

Today at a meeting among maintainers of OLMv1, we discussed an idea that @thetechnick proposed awhile back. That is: stop using service accounts and service account tokens. Instead use synthetic names with impersonation.

While we are now 1.0.0 with support for service accounts, we can deprecate that feature and recommend attaching permissions to synthetic users/groups instead.

This PR demonstrates how we might do this. But with the API change, we should write up a detailed design and gain consensus.

This PR uses:

  • User: "olm:clusterextensions:<clusterExtensionName>"
  • Groups: ["olm:clusterextensions", "system:authenticated"] (not sure we need to be explicit about system:authenticated, but it can't hurt)

asciicast

Reviewer Checklist

  • API Go Documentation
  • Tests: Unit Tests (and E2E Tests, if appropriate)
  • Comprehensive Commit Messages
  • Links to related GitHub Issue(s)

@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Feb 26, 2025
@netlify Netlify
Copy link

netlify bot commented Feb 26, 2025
edited
Loading

Deploy Preview for olmv1 ready!

Name Link
🔨 Latest commit 626ba75
🔍 Latest deploy log https://app.netlify.com/sites/olmv1/deploys/681c77ddfb9ee200080fe928
😎 Deploy Preview https://deploy-preview-1816--olmv1.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

@joelanford joelanford force-pushed the synthetic-permissions branch 3 times, most recently from dfc5ccb to fbcc4a5 Compare February 26, 2025 22:35
@codecov Codecov
Copy link

codecov bot commented Feb 26, 2025
edited
Loading

Codecov Report

Attention: Patch coverage is 87.23404% with 6 lines in your changes missing coverage. Please review.

Project coverage is 66.93%. Comparing base (e729569) to head (626ba75).
Report is 6 commits behind head on main.

Files with missing lines Patch % Lines
cmd/operator-controller/main.go 0.00% 2 Missing and 1 partial ⚠️
internal/operator-controller/action/restconfig.go 90.90% 2 Missing and 1 partial ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #1816      +/-   ##
==========================================
+ Coverage   66.82%   66.93%   +0.10%     
==========================================
  Files          75       76       +1     
  Lines        6337     6378      +41     
==========================================
+ Hits         4235     4269      +34     
- Misses       1839     1844       +5     
- Partials      263      265       +2
Flag Coverage Δ
e2e 44.88% <17.02%> (-0.37%) ⬇️
unit 56.82% <87.23%> (+0.43%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@joelanford joelanford force-pushed the synthetic-permissions branch 3 times, most recently from 11210fc to e44c4d2 Compare February 27, 2025 05:06
@thetechnick
Copy link
Contributor

I'd like to have a discussion on the olmv1 prefix vs just olm and the :admin suffix before this gets merged, but otherwise this looks pretty much how I'd wanted it to look. Thanks for the work!

@perdasilva perdasilva force-pushed the synthetic-permissions branch 2 times, most recently from 1c2f38f to 73e6080 Compare February 27, 2025 12:29
@joelanford
Copy link
Member Author

I'd like to have a discussion on the olmv1 prefix vs just olm and the :admin suffix before this gets merged, but otherwise this looks pretty much how I'd wanted it to look. Thanks for the work!

I put next to no critical thought into the name and group names. @thetechnick you propose the following?

  • User: olm:clusterextensions:<ceName>
  • Group:olm:clusterextensions (and still keep system:authenticated)

@perdasilva perdasilva force-pushed the synthetic-permissions branch from 73e6080 to fb13084 Compare February 27, 2025 13:51
@thetechnick
Copy link
Contributor

@joelanford precisely. 👍

@perdasilva perdasilva force-pushed the synthetic-permissions branch 7 times, most recently from 59b818a to c9575d3 Compare March 5, 2025 10:38
@perdasilva perdasilva force-pushed the synthetic-permissions branch from c9575d3 to 76ca00e Compare March 5, 2025 13:53
@perdasilva perdasilva marked this pull request as ready for review March 6, 2025 08:53
@perdasilva perdasilva requested a review from a team as a code owner March 6, 2025 08:53
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Mar 6, 2025
@perdasilva perdasilva force-pushed the synthetic-permissions branch 3 times, most recently from cd6d528 to 7546680 Compare March 10, 2025 15:10
@perdasilva perdasilva force-pushed the synthetic-permissions branch from 48cb945 to 9904073 Compare March 21, 2025 12:54
@perdasilva perdasilva force-pushed the synthetic-permissions branch from 9904073 to 7c61178 Compare March 31, 2025 14:58
@perdasilva perdasilva force-pushed the synthetic-permissions branch from 7c61178 to 02255cd Compare April 30, 2025 07:23
camilamacedo86
camilamacedo86 reviewed Apr 30, 2025
View reviewed changes
cmd/operator-controller/main.go Outdated
@@ -304,7 +304,7 @@ func run() error {
return err
}
tokenGetter := authentication.NewTokenGetter(coreClient, authentication.WithExpirationDuration(1*time.Hour))
clientRestConfigMapper := action.ServiceAccountRestConfigMapper(tokenGetter)
clientRestConfigMapper := action.ClusterExtensionUserRestConfigMapper(tokenGetter)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We use the SA to generate the names at: https://github.com/operator-framework/operator-controller/blob/main/internal/operator-controller/rukpak/render/generators/generators.go#L84

How would that be after this change?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That SA is the name of an SA that is provided in the permissions section of the CSV. This SA is the SA in the ClusterExtension spec.

Different SAs :)

@perdasilva perdasilva force-pushed the synthetic-permissions branch 3 times, most recently from 8dec944 to fcc4a15 Compare May 7, 2025 10:03
@perdasilva perdasilva requested a review from thetechnick May 7, 2025 10:04
joelanford and others added 13 commits May 8, 2025 11:22
@joelanford @perdasilva
auth: use synthetic user/group when service account is not defined
d3a137f 
Signed-off-by: Joe Lanford <[email protected]>
@perdasilva
Revert API changes
d056584 
Signed-off-by: Per Goncalves da Silva <[email protected]>
@perdasilva
Add featuregate
35814f0 
Signed-off-by: Per Goncalves da Silva <[email protected]>
@perdasilva
Add unit tests
4a48a99 
Signed-off-by: Per Goncalves da Silva <[email protected]>
@perdasilva
Update syntheric user format
e1bbb1f 
Signed-off-by: Per Goncalves da Silva <[email protected]>
@perdasilva
Add featuregate kustomize overlay
743611a 
Signed-off-by: Per Goncalves da Silva <[email protected]>
@perdasilva
Add demo resources
b9d10e3 
Signed-off-by: Per Goncalves da Silva <[email protected]>
@perdasilva
Refactor synthetic auth exported functions
b46041d 
Signed-off-by: Per Goncalves da Silva <[email protected]>
@perdasilva
Update demo
547b72e 
Signed-off-by: Per Goncalves da Silva <[email protected]>
@perdasilva
Add some docs
97f2320 
Signed-off-by: Per Goncalves da Silva <[email protected]>
@perdasilva
Clean up demo resources
dc4067c 
Signed-off-by: Per Goncalves da Silva <[email protected]>
@perdasilva
Address reviewer comments
4bc2f8e 
Signed-off-by: Per Goncalves da Silva <[email protected]>
@perdasilva
Move FG check to main
626ba75 
Signed-off-by: Per Goncalves da Silva <[email protected]>
@perdasilva perdasilva force-pushed the synthetic-permissions branch from fcc4a15 to 626ba75 Compare May 8, 2025 09:22
camilamacedo86
camilamacedo86 reviewed May 8, 2025
View reviewed changes
config/overlays/featuregate/synthetic-user-permissions/patches/enable-featuregate.yaml
# enable synthetic-user feature gate
- op: add
path: /spec/template/spec/containers/0/args/-
value: "--feature-gates=SyntheticPermissions=true"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 Cool

camilamacedo86
camilamacedo86 reviewed May 8, 2025
View reviewed changes
hack/demo/synthetic-user-cluster-admin-demo.sh
kubectl apply -f ${DEMO_RESOURCE_DIR}/synthetic-user-perms/argocd-clusterextension.yaml

# wait for cluster extension installation to succeed
kubectl wait --for=condition=Installed clusterextension/argocd-operator --timeout="60s"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

WDYT about we add something like

# List ClusterRoleBindings for the synthetic group
kubectl get clusterrolebindings -o json | jq -r '
  .items[] |
  select(.subjects[]? | .kind == "Group" and .name == "olm:clusterextensions") |
  "\(.metadata.name) → \(.roleRef.kind)/\(.roleRef.name)"
'

# List RoleBindings for the synthetic user
kubectl get rolebindings --all-namespaces -o json | jq -r '
  .items[] |
  select(.subjects[]? | .kind == "User" and .name == "olm:clusterextensions:argocd-operator") |
  "\(.metadata.namespace)/\(.metadata.name) → \(.roleRef.kind)/\(.roleRef.name)"
'

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe would be nice add in the demo:

Have we here any step we could add in the demo to prove and show that with the synthetic-user-permissions the workload will have the required permission to run BUT the logged user will not able to take advantage of it to scalate the permissions?

However, it might not too be too simple. So, I am fine without it.

camilamacedo86
camilamacedo86 approved these changes May 8, 2025
View reviewed changes
Copy link
Contributor

@camilamacedo86 camilamacedo86 left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just a few nits. ( not mandatory )
It is protected behind a feature gate, so 👍

/lgtm
/approve

I could not find any reason for not move forward with protected as it is.

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label May 8, 2025
@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented May 8, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: camilamacedo86

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label May 8, 2025
@openshift-merge-bot openshift-merge-bot bot merged commit 6cd629e into operator-framework:main May 14, 2025
23 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@perdasilva perdasilva perdasilva left review comments

@camilamacedo86 camilamacedo86 camilamacedo86 approved these changes

@thetechnick thetechnick Awaiting requested review from thetechnick

Assignees

@camilamacedo86 camilamacedo86

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@joelanford @thetechnick @perdasilva @camilamacedo86