feat(cloud-rbac): cluster-scoped read for Cloud tiers (+ opt-in node-ops)#986
Open
nadaverell wants to merge 1 commit into
Open
feat(cloud-rbac): cluster-scoped read for Cloud tiers (+ opt-in node-ops)#986nadaverell wants to merge 1 commit into
nadaverell wants to merge 1 commit into
Conversation
1eee2d9 to
f87d64b
Compare
…ops)
Built-in admin/edit/view exclude cluster-scoped resources, so Cloud owners/viewers
couldn't see Nodes/PVs/StorageClasses. Add explicit additive ClusterRoleBindings
(the radar-helm pattern, NOT aggregate-to-view which would widen shared built-in
roles cluster-wide):
- radar-cluster-read: get/list/watch on nodes, PVs, storageclasses, ingressclasses,
priorityclasses (+ metrics nodes when rbac.metrics). No Secrets, no RBAC. Bound to
viewer+member+owner. Cluster-scoped read is its own per-tier axis
(clusterScopedRead.{viewer,member,owner}, each default true) — independent of the
namespaced ClusterRole a tier binds to, so a custom *ClusterRole no longer silently
disables infra read. Set a tier false for namespaced-only (e.g. viewer).
- radar-node-ops: patch nodes + list pods + create pods/eviction (exact node_ops.go
verbs; PDBs enforced by eviction API). Owner-only. Cluster-write, default OFF.
patch nodes can't be field-scoped by RBAC, so it also permits relabel/taint.
Docs: cloud/rbac.mdx (radar-docs) + docs/authentication.md cover the per-tier toggle
and security-conscious lockdown recipes.
f87d64b to
9c8e47a
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes the reported bug: Cloud owners/viewers can't see Nodes/PVs/StorageClasses because the tier groups bind to built-in admin/edit/view, which exclude cluster-scoped resources.
Approach — explicit additive bindings (NOT aggregation)
Aggregating into built-in view/edit would widen those shared roles cluster-wide for every other subject bound to them (verified: kyverno/event-exporter SAs bind
viewon our clusters). Instead, mirror the existingradar-helmadd-on: explicit ClusterRoleBindings to thecloud:*groups.radar-cluster-read—get/list/watchon nodes, persistentvolumes, storageclasses, ingressclasses, priorityclasses (+ metrics nodes whenrbac.metrics). No Secrets, no RBAC objects, no namespaces (built-inviewalready grants namespaces). Bound to viewer+member+owner.radar-node-ops—patch nodes+list pods+create pods/eviction(exactpkg/k8score/node_ops.goverbs). Owner-only. Cluster-write, default OFF (cloud.defaultRbac.nodeOps).Gating (verified via
helm templatematrix)Cluster-read is a per-tier axis (
cloud.defaultRbac.clusterScopedRead.{viewer,member,owner}, each default true), independent of the namespaced ClusterRole a tier binds to. Each binding renders when (a) the tier is enabled AND (b) itsclusterScopedReadflag is true. Swapping a tier's namespaced*ClusterRoleno longer disables infra-read (separate bindings) — set the flag false for namespaced-only (e.g.clusterScopedRead.viewer: false). Verified viahelm template: defaults (3 tiers),viewer:false(member+owner only), all-false (empty), customviewerClusterRole(viewer keeps read — decoupled), tier-disabled (absent), OSS-mode (empty). Schema rejects the old bool shape + typo keys.Notes
clusterScopedRead.<tier>: false) for security-conscious orgs (e.g. namespaced-only viewer). Prominent in values + docs (radar-docs#24).Chart.yamlchange:release.ymlstamps chartversion/appVersionfrom the release tag at publish time, so this PR adds templates only; the nextv*tag ships them. Helm lint error pre-exists oncloud-rbac.yaml(CI Helm check is the gate).Note
Medium Risk
Default-on cluster-scoped read widens Cloud tier permissions on chart upgrade; optional
nodeOpsadds cluster-scoped write for owners when enabled.Overview
Fixes Cloud users bound to built-in
admin/edit/viewbeing unable to see Nodes, PVs, StorageClasses, and related cluster-scoped kinds in Radar.The chart now emits a
radar-cluster-readClusterRole (get/list/watchon nodes, persistentvolumes, storageclasses, ingressclasses, priorityclasses; optionalmetrics.k8s.ionodes) with explicitClusterRoleBindingstocloud:viewer,cloud:member, andcloud:owner—notaggregate-to-view, so shared built-in roles are not widened for other cluster subjects. Per-tier opt-out viacloud.defaultRbac.clusterScopedRead.{viewer,member,owner}(each defaults on).An optional
radar-node-opsadd-on (cloud.defaultRbac.nodeOps, default off) grants ownerspatchnodes,listpods, andcreatepods/eviction for Radar cordon/drain. Values, JSON schema, anddocs/authentication.mddocument the new axes.Reviewed by Cursor Bugbot for commit 9c8e47a. Bugbot is set up for automated code reviews on this repo. Configure here.