Skip to content

Commit

Permalink
chore: narrow the RBAC permissions used by the autoscaler (#2039)
Browse files Browse the repository at this point in the history
This reduces the permissions we request to just those we actually use.

Most resources are moved from cluster role to role. only resource we
need in cluster level is `instrumentationconfigs` to update the
datacollection configmaps with file patterns to scrape for logs.

Updated the selectors in controller runtime cache.

Tested several flows with CLI and helm.
  • Loading branch information
blumamir authored Dec 20, 2024
1 parent 9cda745 commit 6497397
Show file tree
Hide file tree
Showing 6 changed files with 212 additions and 243 deletions.
6 changes: 6 additions & 0 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -215,6 +215,12 @@ cli-diagnose:
@echo "Diagnosing cluster data for debugging"
cd ./cli ; go run -tags=embed_manifests . diagnose

.PHONY: helm-install
helm-install:
@echo "Installing odigos using helm"
helm upgrade --install odigos ./helm/odigos --create-namespace --namespace odigos-system --set image.tag=$(ODIGOS_CLI_VERSION)
kubectl label namespace odigos-system odigos.io/system-object="true"

.PHONY: api-all
api-all:
make -C api all
Expand Down
34 changes: 32 additions & 2 deletions autoscaler/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,7 @@ import (
metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server"

apiactions "github.com/odigos-io/odigos/api/actions/v1alpha1"
observabilitycontrolplanev1 "github.com/odigos-io/odigos/api/odigos/v1alpha1"
odigosv1 "github.com/odigos-io/odigos/api/odigos/v1alpha1"
"github.com/odigos-io/odigos/common"

"github.com/odigos-io/odigos/autoscaler/controllers"
Expand All @@ -72,7 +72,7 @@ var (

func init() {
utilruntime.Must(clientgoscheme.AddToScheme(scheme))
utilruntime.Must(observabilitycontrolplanev1.AddToScheme(scheme))
utilruntime.Must(odigosv1.AddToScheme(scheme))
utilruntime.Must(apiactions.AddToScheme(scheme))
//+kubebuilder:scaffold:scheme
}
Expand Down Expand Up @@ -157,6 +157,36 @@ func main() {
&corev1.Secret{}: {
Field: nsSelector,
},
&odigosv1.CollectorsGroup{}: {
Field: nsSelector,
},
&odigosv1.Destination{}: {
Field: nsSelector,
},
&odigosv1.Processor{}: {
Field: nsSelector,
},
&apiactions.AddClusterInfo{}: {
Field: nsSelector,
},
&apiactions.DeleteAttribute{}: {
Field: nsSelector,
},
&apiactions.ErrorSampler{}: {
Field: nsSelector,
},
&apiactions.LatencySampler{}: {
Field: nsSelector,
},
&apiactions.PiiMasking{}: {
Field: nsSelector,
},
&apiactions.ProbabilisticSampler{}: {
Field: nsSelector,
},
&apiactions.RenameAttribute{}: {
Field: nsSelector,
},
},
},
HealthProbeBindAddress: probeAddr,
Expand Down
202 changes: 70 additions & 132 deletions cli/cmd/resources/autoscaler.go
Original file line number Diff line number Diff line change
Expand Up @@ -19,11 +19,15 @@ import (
)

const (
AutoScalerServiceAccountName = "odigos-autoscaler"
AutoScalerServiceName = "auto-scaler"
AutoScalerDeploymentName = "odigos-autoscaler"
AutoScalerAppLabelValue = "odigos-autoscaler"
AutoScalerContainerName = "manager"
AutoScalerDeploymentName = "odigos-autoscaler"
AutoScalerServiceAccountName = AutoScalerDeploymentName
AutoScalerAppLabelValue = AutoScalerDeploymentName
AutoScalerRoleName = AutoScalerDeploymentName
AutoScalerRoleBindingName = AutoScalerDeploymentName
AutoScalerClusterRoleName = AutoScalerDeploymentName
AutoScalerClusterRoleBindingName = AutoScalerDeploymentName
AutoScalerServiceName = "auto-scaler"
AutoScalerContainerName = "manager"
)

func NewAutoscalerServiceAccount(ns string) *corev1.ServiceAccount {
Expand All @@ -46,7 +50,7 @@ func NewAutoscalerRole(ns string) *rbacv1.Role {
APIVersion: "rbac.authorization.k8s.io/v1",
},
ObjectMeta: metav1.ObjectMeta{
Name: "odigos-autoscaler",
Name: AutoScalerRoleName,
Namespace: ns,
},
Rules: []rbacv1.PolicyRule{
Expand Down Expand Up @@ -117,8 +121,8 @@ func NewAutoscalerRole(ns string) *rbacv1.Role {
{
Verbs: []string{
"get",
"patch",
"update",
"list",
"watch",
},
APIGroups: []string{"apps"},
Resources: []string{"deployments/status"},
Expand All @@ -142,107 +146,14 @@ func NewAutoscalerRole(ns string) *rbacv1.Role {
APIGroups: []string{""},
Resources: []string{"secrets"},
},
},
}
}

func NewAutoscalerRoleBinding(ns string) *rbacv1.RoleBinding {
return &rbacv1.RoleBinding{
TypeMeta: metav1.TypeMeta{
Kind: "RoleBinding",
APIVersion: "rbac.authorization.k8s.io/v1",
},
ObjectMeta: metav1.ObjectMeta{
Name: "odigos-autoscaler",
Namespace: ns,
},
Subjects: []rbacv1.Subject{
{
Kind: "ServiceAccount",
Name: "odigos-autoscaler",
},
},
RoleRef: rbacv1.RoleRef{
APIGroup: "rbac.authorization.k8s.io",
Kind: "Role",
Name: "odigos-autoscaler",
},
}
}

func NewAutoscalerClusterRole() *rbacv1.ClusterRole {
return &rbacv1.ClusterRole{
TypeMeta: metav1.TypeMeta{
Kind: "ClusterRole",
APIVersion: "rbac.authorization.k8s.io/v1",
},
ObjectMeta: metav1.ObjectMeta{
Name: "odigos-autoscaler",
},
Rules: []rbacv1.PolicyRule{
{
Verbs: []string{
"get",
"list",
"watch",
},
APIGroups: []string{""},
Resources: []string{"configmaps"},
},
{
Verbs: []string{
"get",
"list",
"watch",
},
APIGroups: []string{""},
Resources: []string{"services"},
},
{
Verbs: []string{
"get",
"list",
"watch",
},
APIGroups: []string{"apps"},
Resources: []string{"daemonsets"},
},
{
Verbs: []string{
"get",
"list",
"watch",
},
APIGroups: []string{"apps"},
Resources: []string{"deployments"},
},
{
Verbs: []string{
"get",
"list",
"watch",
},
APIGroups: []string{"odigos.io"},
Resources: []string{"instrumentationconfigs"},
}, {
Verbs: []string{
"create",
"delete",
"get",
"list",
"patch",
"update",
"watch",
},
APIGroups: []string{"odigos.io"},
Resources: []string{"collectorsgroups"},
},
{
Verbs: []string{
"update",
},
APIGroups: []string{"odigos.io"},
Resources: []string{"collectorsgroups/finalizers"},
Resources: []string{"destinations"},
},
{
Verbs: []string{
Expand All @@ -251,20 +162,7 @@ func NewAutoscalerClusterRole() *rbacv1.ClusterRole {
"update",
},
APIGroups: []string{"odigos.io"},
Resources: []string{"collectorsgroups/status"},
},
{
Verbs: []string{
"create",
"delete",
"get",
"list",
"patch",
"update",
"watch",
},
APIGroups: []string{"odigos.io"},
Resources: []string{"destinations"},
Resources: []string{"destinations/status"},
},
{
Verbs: []string{
Expand All @@ -280,46 +178,86 @@ func NewAutoscalerClusterRole() *rbacv1.ClusterRole {
},
{
Verbs: []string{
"update",
"watch",
"get",
"list",
},
APIGroups: []string{"odigos.io"},
Resources: []string{"destinations/finalizers"},
APIGroups: []string{"actions.odigos.io"},
Resources: []string{"addclusterinfos", "deleteattributes", "renameattributes", "probabilisticsamplers", "piimaskings", "latencysamplers", "errorsamplers"},
},
{
Verbs: []string{
"get",
"patch",
"update",
},
APIGroups: []string{"odigos.io"},
Resources: []string{"destinations/status"},
APIGroups: []string{"actions.odigos.io"},
Resources: []string{"addclusterinfos/status", "deleteattributes/status", "renameattributes/status", "probabilisticsamplers/status", "piimaskings/status", "latencysamplers/status", "errorsamplers/status"},
},
{
Verbs: []string{
"watch",
"get",
"list",
"watch",
},
APIGroups: []string{"actions.odigos.io"},
Resources: []string{"addclusterinfos", "deleteattributes", "renameattributes", "probabilisticsamplers", "piimaskings", "latencysamplers", "errorsamplers"},
APIGroups: []string{"odigos.io"},
Resources: []string{"collectorsgroups"},
},
{
Verbs: []string{
"get",
"patch",
"update",
},
APIGroups: []string{"actions.odigos.io"},
Resources: []string{"addclusterinfos/status", "deleteattributes/status", "renameattributes/status", "probabilisticsamplers/status", "piimaskings/status", "latencysamplers/status", "errorsamplers/status"},
APIGroups: []string{"odigos.io"},
Resources: []string{"collectorsgroups/status"},
},
},
}
}

func NewAutoscalerRoleBinding(ns string) *rbacv1.RoleBinding {
return &rbacv1.RoleBinding{
TypeMeta: metav1.TypeMeta{
Kind: "RoleBinding",
APIVersion: "rbac.authorization.k8s.io/v1",
},
ObjectMeta: metav1.ObjectMeta{
Name: AutoScalerRoleBindingName,
Namespace: ns,
},
Subjects: []rbacv1.Subject{
{
Kind: "ServiceAccount",
Name: AutoScalerServiceAccountName,
},
},
RoleRef: rbacv1.RoleRef{
APIGroup: "rbac.authorization.k8s.io",
Kind: "Role",
Name: AutoScalerRoleName,
},
}
}

func NewAutoscalerClusterRole() *rbacv1.ClusterRole {
return &rbacv1.ClusterRole{
TypeMeta: metav1.TypeMeta{
Kind: "ClusterRole",
APIVersion: "rbac.authorization.k8s.io/v1",
},
ObjectMeta: metav1.ObjectMeta{
Name: AutoScalerClusterRoleName,
},
Rules: []rbacv1.PolicyRule{
{
Verbs: []string{
"get",
"list",
"watch",
},
APIGroups: []string{"odigos.io"},
Resources: []string{"odigosconfigurations"},
Resources: []string{"instrumentationconfigs"},
},
},
}
Expand All @@ -332,19 +270,19 @@ func NewAutoscalerClusterRoleBinding(ns string) *rbacv1.ClusterRoleBinding {
APIVersion: "rbac.authorization.k8s.io/v1",
},
ObjectMeta: metav1.ObjectMeta{
Name: "odigos-autoscaler",
Name: AutoScalerClusterRoleBindingName,
},
Subjects: []rbacv1.Subject{
{
Kind: "ServiceAccount",
Name: "odigos-autoscaler",
Name: AutoScalerServiceAccountName,
Namespace: ns,
},
},
RoleRef: rbacv1.RoleRef{
APIGroup: "rbac.authorization.k8s.io",
Kind: "ClusterRole",
Name: "odigos-autoscaler",
Name: AutoScalerClusterRoleName,
},
}
}
Expand All @@ -362,7 +300,7 @@ func NewAutoscalerLeaderElectionRoleBinding(ns string) *rbacv1.RoleBinding {
Subjects: []rbacv1.Subject{
{
Kind: "ServiceAccount",
Name: "odigos-autoscaler",
Name: AutoScalerServiceAccountName,
},
},
RoleRef: rbacv1.RoleRef{
Expand Down Expand Up @@ -486,7 +424,7 @@ func NewAutoscalerDeployment(ns string, version string, imagePrefix string, imag
},
},
TerminationGracePeriodSeconds: ptrint64(10),
ServiceAccountName: "odigos-autoscaler",
ServiceAccountName: AutoScalerServiceAccountName,
SecurityContext: &corev1.PodSecurityContext{
RunAsNonRoot: ptrbool(true),
},
Expand Down
Loading

0 comments on commit 6497397

Please sign in to comment.