diff --git a/config/rbac/kustomization.yaml b/config/rbac/kustomization.yaml index 1f7b814..4c78d30 100644 --- a/config/rbac/kustomization.yaml +++ b/config/rbac/kustomization.yaml @@ -6,4 +6,6 @@ resources: - role_binding.yaml - leader_election_role.yaml - leader_election_role_binding.yaml + - task_submitter_role.yaml - task_submitter_role_binding.yaml + - rbac_proxy_role.yaml diff --git a/config/rbac/rbac_proxy_role.yaml b/config/rbac/rbac_proxy_role.yaml new file mode 100644 index 0000000..75833b7 --- /dev/null +++ b/config/rbac/rbac_proxy_role.yaml @@ -0,0 +1,11 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: rbac-proxy +rules: + - apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["create"] + - apiGroups: ["authorization.k8s.io"] + resources: ["subjectaccessreviews"] + verbs: ["create"] diff --git a/config/rbac/task_submitter_role.yaml b/config/rbac/task_submitter_role.yaml new file mode 100644 index 0000000..e8ef6d1 --- /dev/null +++ b/config/rbac/task_submitter_role.yaml @@ -0,0 +1,8 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: validator-task-submitter +rules: + - apiGroups: ["sei.io"] + resources: ["seinodetasks"] + verbs: ["create", "get"] diff --git a/config/rbac/task_submitter_role_binding.yaml b/config/rbac/task_submitter_role_binding.yaml index 73e0fb1..a6bf027 100644 --- a/config/rbac/task_submitter_role_binding.yaml +++ b/config/rbac/task_submitter_role_binding.yaml @@ -1,9 +1,3 @@ -# Binds the controller SA to sei-validator-task-submitter so the -# controller can submit sidecar tasks via kube-rbac-proxy in TLS mode. -# Cluster-wide grant — assumes the controller is the single trust -# authority for all SeiNodes in the cluster. Multi-tenant deployments -# (operators-other-than-platform creating SeiNodes) require a -# different scoping model; see #224 follow-ups. apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -14,7 +8,7 @@ metadata: roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: sei-validator-task-submitter + name: validator-task-submitter subjects: - kind: ServiceAccount name: controller-manager diff --git a/manifests/rbac/rbac-proxy-clusterrole.yaml b/manifests/rbac/rbac-proxy-clusterrole.yaml deleted file mode 100644 index 4a35b8a..0000000 --- a/manifests/rbac/rbac-proxy-clusterrole.yaml +++ /dev/null @@ -1,25 +0,0 @@ -# sei-rbac-proxy carries the K8s API permissions kube-rbac-proxy needs to -# authenticate and authorize incoming requests: TokenReview to resolve a -# bearer token into an identity, SubjectAccessReview to check that -# identity against sei-validator-task-submitter (or any bound role). -# -# This ClusterRole is bound to the ServiceAccount running the SeiNode -# pods — see manifests/samples/clusterrolebinding-rbac-proxy.yaml for a -# template. The proxy and the seictl sidecar share that SA (one -# ServiceAccount per pod is a Kubernetes constraint). The trade-off: -# the seictl sidecar's SA gains TokenReview/SAR permissions it does -# not use. Acceptable for v1 because the seictl container does not -# make K8s API calls in normal operation. A future per-container token -# (projected volume with a dedicated audience) is the cleaner separation -# — tracked as a follow-up. -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: sei-rbac-proxy -rules: - - apiGroups: ["authentication.k8s.io"] - resources: ["tokenreviews"] - verbs: ["create"] - - apiGroups: ["authorization.k8s.io"] - resources: ["subjectaccessreviews"] - verbs: ["create"] diff --git a/manifests/rbac/task-submitter-clusterrole.yaml b/manifests/rbac/task-submitter-clusterrole.yaml deleted file mode 100644 index 1c457e0..0000000 --- a/manifests/rbac/task-submitter-clusterrole.yaml +++ /dev/null @@ -1,21 +0,0 @@ -# sei-validator-task-submitter is the standard ClusterRole that operators -# bind to identities (controller SA, operator humans, fleet automation) -# that should be permitted to submit tasks to a SeiNode's sidecar. -# -# The "seinodetasks" resource is virtual — there is no CRD by that name. -# kube-rbac-proxy constructs a SubjectAccessReview with this resource on -# each authenticated request; this ClusterRole is what bindings reference. -# -# resourceNames is left empty: bindings get unrestricted access across all -# SeiNodes by default. Operators narrow access to specific validators by -# writing additional ClusterRoleBindings (or RoleBindings) with -# resourceNames set — the SAR carries .name= per the proxy's -# ConfigMap, so RBAC matches it. -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: sei-validator-task-submitter -rules: - - apiGroups: ["sei.io"] - resources: ["seinodetasks"] - verbs: ["create", "get", "list"] diff --git a/manifests/samples/clusterrolebinding-rbac-proxy.yaml b/manifests/samples/clusterrolebinding-rbac-proxy.yaml index ec708ea..a2395d0 100644 --- a/manifests/samples/clusterrolebinding-rbac-proxy.yaml +++ b/manifests/samples/clusterrolebinding-rbac-proxy.yaml @@ -1,16 +1,12 @@ -# Example binding for the kube-rbac-proxy ClusterRole. Substitute the -# ServiceAccount name and namespace for the deployment running SeiNode -# pods (this is the same SA the seictl sidecar container uses — see -# platform.Config.ServiceAccount). apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: sei-rbac-proxy + name: sei-k8s-rbac-proxy subjects: - kind: ServiceAccount name: namespace: roleRef: kind: ClusterRole - name: sei-rbac-proxy + name: sei-k8s-rbac-proxy apiGroup: rbac.authorization.k8s.io diff --git a/manifests/samples/clusterrolebinding-task-submitter.yaml b/manifests/samples/clusterrolebinding-task-submitter.yaml index 20c4c66..d9bdeb3 100644 --- a/manifests/samples/clusterrolebinding-task-submitter.yaml +++ b/manifests/samples/clusterrolebinding-task-submitter.yaml @@ -1,8 +1,3 @@ -# Example binding for the sei-validator-task-submitter ClusterRole — -# grants a human-operator group access to submit sidecar tasks. The -# controller SA itself is bound automatically via the kustomize chart -# (config/rbac/task_submitter_role_binding.yaml); only third-party -# identities need their own bindings. apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -13,5 +8,5 @@ subjects: apiGroup: rbac.authorization.k8s.io roleRef: kind: ClusterRole - name: sei-validator-task-submitter + name: sei-k8s-validator-task-submitter apiGroup: rbac.authorization.k8s.io