Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Separate calico-node and calico-cni-plugin service accounts #7106

Merged
merged 14 commits into from
Mar 24, 2023

Conversation

MichalFupso
Copy link
Contributor

@MichalFupso MichalFupso commented Dec 19, 2022

Description

Split of the calico-node account to calico-node and calico-cni-plugin service account.

Related issues/PRs

Todos

  • Tests
  • Documentation
  • Release note

Release Note

Separate calico-node and calico-cni-plugin service accounts

Reminder for the reviewer

Make sure that this PR has the correct labels and milestone set.

Every PR needs one docs-* label.

  • docs-pr-required: This change requires a change to the documentation that has not been completed yet.
  • docs-completed: This change has all necessary documentation completed.
  • docs-not-required: This change has no user-facing impact and requires no docs.

Every PR needs one release-note-* label.

  • release-note-required: This PR has user-facing changes. Most PRs should have this label.
  • release-note-not-required: This PR has no user-facing changes.

Other optional labels:

  • cherry-pick-candidate: This PR should be cherry-picked to an earlier release. For bug fixes only.
  • needs-operator-pr: This PR is related to install and requires a corresponding change to the operator.

@MichalFupso MichalFupso requested a review from a team as a code owner December 19, 2022 14:33
@marvin-tigera marvin-tigera added this to the Calico v3.25.0 milestone Dec 19, 2022
@marvin-tigera marvin-tigera added docs-pr-required Change is not yet documented release-note-required Change has user-facing impact (no matter how small) labels Dec 19, 2022
@CLAassistant
Copy link

CLAassistant commented Dec 19, 2022

CLA assistant check
All committers have signed the CLA.

Copy link
Member

@caseydavenport caseydavenport left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A few minor comments. I think you'll want to do a few things:

  • Test this on a live cluster to make sure all the permissions are correct (check the calico-node and CNI plugin logs for unauthorized permissions errors)
  • Run make generate to update the manifests - you changed the templates in the charts/ dir, but the artifacts need re-rendering afterwards.
  • You will need to make the equivalent changes in the tigera/operator repository, since most users install Calico that way nowadays. https://github.com/tigera/operator/blob/master/pkg/render/node.go#L287

# Used for creating service account tokens to be used by the CNI plugin
- apiGroups: [""]
resources:
- serviceaccounts/token
Copy link
Member

@caseydavenport caseydavenport Dec 19, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This permission should only be on the calico-node serviceaccount, not on the CNI plugin. We don't want any serviceaccount to have permissions to create its own token.

charts/calico/templates/calico-node-rbac.yaml Show resolved Hide resolved
@@ -138,26 +123,6 @@ rules:
- create
- update
{{- if eq .Values.network "calico" }}
# These permissions are required for Calico CNI to perform IPAM allocations.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think with testing you'll find that calico/node also needs some of these permissions.

@@ -17,14 +17,6 @@ rules:
{{- end }}
verbs:
- create
# The CNI plugin needs to get pods, nodes, and namespaces.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think calico/node also needs some of these, unless they are already covered somewhere else.

- create
- update
- delete
# The CNI plugin and calico/node need to be able to create a default
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This comment suggests calico-node still needs the IPAMConfigs permission

@@ -217,7 +218,7 @@ func Run() {
if err != nil {
logrus.WithError(err).Fatal("Failed to create in cluster client set")
}
tr := NewTokenRefresher(clientset, NamespaceOfUsedServiceAccount(), CNIServiceAccountName())
tr := NewTokenRefresher(clientset, NamespaceOfUsedServiceAccount(), NodeServiceAccountName())
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The goal of this PR is so that calico/node is generating new tokens for the CNI plugin's service account, so I think we want to leave this line unchanged.

return defaultCNIPluginAccountName
}

func NodeServiceAccountName() string {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think we need this function - we shouldn't ever be doing any actions on the calico-node serviceaccount.

@mgleung mgleung modified the milestones: Calico v3.25.0, Calico v3.26.0 Jan 5, 2023
charts/calico/templates/calico-node-rbac.yaml Outdated Show resolved Hide resolved
charts/calico/templates/calico-node-rbac.yaml Outdated Show resolved Hide resolved
charts/calico/templates/calico-node-rbac.yaml Outdated Show resolved Hide resolved
charts/calico/templates/calico-node-rbac.yaml Outdated Show resolved Hide resolved
node/tests/k8st/infra/calico-kdd.yaml Show resolved Hide resolved
node/pkg/cni/token_watch.go Show resolved Hide resolved
@caseydavenport
Copy link
Member

/sem-approve

@@ -242,3 +284,15 @@ subjects:
name: calico-node
namespace: kube-system
{{- end }}
kind: ClusterRoleBinding
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this can be a RoleBinding since it's only for a single serviceaccount in one namespace.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@MichalFupso
Copy link
Contributor Author

/sem-approve

1 similar comment
@mgleung
Copy link
Contributor

mgleung commented Mar 23, 2023

/sem-approve

@MichalFupso MichalFupso removed the docs-pr-required Change is not yet documented label Mar 23, 2023
@MichalFupso MichalFupso added the docs-not-required Docs not required for this change label Mar 23, 2023
@mgleung
Copy link
Contributor

mgleung commented Mar 23, 2023

/sem-approve

@caseydavenport
Copy link
Member

/sem-approve

@caseydavenport caseydavenport changed the title calico-cni-plugin user Separate calico-node and calico-cni-plugin service accounts Mar 24, 2023
@MichalFupso MichalFupso merged commit 5ddead4 into projectcalico:master Mar 24, 2023
mzaian added a commit to mzaian/kubespray that referenced this pull request Sep 11, 2023
mzaian added a commit to mzaian/kubespray that referenced this pull request Sep 14, 2023
mzaian added a commit to mzaian/kubespray that referenced this pull request Sep 18, 2023
k8s-ci-robot pushed a commit to kubernetes-sigs/kubespray that referenced this pull request Sep 19, 2023
* [calico] Make version 3.26.1 default

* [calico] Separate calico-node and calico-cni-plugin service accounts

See: projectcalico/calico#7106
guytet pushed a commit to guytet/kubespray that referenced this pull request Oct 30, 2023
* [calico] Make version 3.26.1 default

* [calico] Separate calico-node and calico-cni-plugin service accounts

See: projectcalico/calico#7106
pedro-peter pushed a commit to pedro-peter/kubespray that referenced this pull request May 8, 2024
* [calico] Make version 3.26.1 default

* [calico] Separate calico-node and calico-cni-plugin service accounts

See: projectcalico/calico#7106
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
docs-not-required Docs not required for this change release-note-required Change has user-facing impact (no matter how small)
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants