-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Separate calico-node and calico-cni-plugin service accounts #7106
Separate calico-node and calico-cni-plugin service accounts #7106
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A few minor comments. I think you'll want to do a few things:
- Test this on a live cluster to make sure all the permissions are correct (check the calico-node and CNI plugin logs for unauthorized permissions errors)
- Run
make generate
to update the manifests - you changed the templates in the charts/ dir, but the artifacts need re-rendering afterwards. - You will need to make the equivalent changes in the tigera/operator repository, since most users install Calico that way nowadays. https://github.com/tigera/operator/blob/master/pkg/render/node.go#L287
# Used for creating service account tokens to be used by the CNI plugin | ||
- apiGroups: [""] | ||
resources: | ||
- serviceaccounts/token |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This permission should only be on the calico-node serviceaccount, not on the CNI plugin. We don't want any serviceaccount to have permissions to create its own token.
@@ -138,26 +123,6 @@ rules: | |||
- create | |||
- update | |||
{{- if eq .Values.network "calico" }} | |||
# These permissions are required for Calico CNI to perform IPAM allocations. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think with testing you'll find that calico/node also needs some of these permissions.
@@ -17,14 +17,6 @@ rules: | |||
{{- end }} | |||
verbs: | |||
- create | |||
# The CNI plugin needs to get pods, nodes, and namespaces. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think calico/node also needs some of these, unless they are already covered somewhere else.
- create | ||
- update | ||
- delete | ||
# The CNI plugin and calico/node need to be able to create a default |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This comment suggests calico-node still needs the IPAMConfigs permission
node/pkg/cni/token_watch.go
Outdated
@@ -217,7 +218,7 @@ func Run() { | |||
if err != nil { | |||
logrus.WithError(err).Fatal("Failed to create in cluster client set") | |||
} | |||
tr := NewTokenRefresher(clientset, NamespaceOfUsedServiceAccount(), CNIServiceAccountName()) | |||
tr := NewTokenRefresher(clientset, NamespaceOfUsedServiceAccount(), NodeServiceAccountName()) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The goal of this PR is so that calico/node is generating new tokens for the CNI plugin's service account, so I think we want to leave this line unchanged.
node/pkg/cni/token_watch.go
Outdated
return defaultCNIPluginAccountName | ||
} | ||
|
||
func NodeServiceAccountName() string { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think we need this function - we shouldn't ever be doing any actions on the calico-node serviceaccount.
/sem-approve |
@@ -242,3 +284,15 @@ subjects: | |||
name: calico-node | |||
namespace: kube-system | |||
{{- end }} | |||
kind: ClusterRoleBinding |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this can be a RoleBinding
since it's only for a single serviceaccount in one namespace.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In your other PR, this is a RoleBinding: https://github.com/tigera/operator/pull/2393/files#diff-d4d31d15e69aa9a0bad7776e758dfbd50b8e0e1a969fd16719f56c470cac4e7bR316
/sem-approve |
1 similar comment
/sem-approve |
/sem-approve |
/sem-approve |
* [calico] Make version 3.26.1 default * [calico] Separate calico-node and calico-cni-plugin service accounts See: projectcalico/calico#7106
* [calico] Make version 3.26.1 default * [calico] Separate calico-node and calico-cni-plugin service accounts See: projectcalico/calico#7106
* [calico] Make version 3.26.1 default * [calico] Separate calico-node and calico-cni-plugin service accounts See: projectcalico/calico#7106
Description
Split of the calico-node account to calico-node and calico-cni-plugin service account.
Related issues/PRs
Todos
Release Note
Reminder for the reviewer
Make sure that this PR has the correct labels and milestone set.
Every PR needs one
docs-*
label.docs-pr-required
: This change requires a change to the documentation that has not been completed yet.docs-completed
: This change has all necessary documentation completed.docs-not-required
: This change has no user-facing impact and requires no docs.Every PR needs one
release-note-*
label.release-note-required
: This PR has user-facing changes. Most PRs should have this label.release-note-not-required
: This PR has no user-facing changes.Other optional labels:
cherry-pick-candidate
: This PR should be cherry-picked to an earlier release. For bug fixes only.needs-operator-pr
: This PR is related to install and requires a corresponding change to the operator.