Skip to content

fix(noderesource): use apiGroup in rbac-proxy config (not group)#274

Merged
bdchatham merged 1 commit into
mainfrom
fix/rbac-proxy-config-apigroup-field
May 18, 2026
Merged

fix(noderesource): use apiGroup in rbac-proxy config (not group)#274
bdchatham merged 1 commit into
mainfrom
fix/rbac-proxy-config-apigroup-field

Conversation

@bdchatham
Copy link
Copy Markdown
Collaborator

@bdchatham bdchatham commented May 18, 2026
edited
Loading

Summary

GenerateRBACProxyConfigMap was writing the resource API group under the wrong field name in the kube-rbac-proxy ConfigMap. This caused the proxy to silently drop the field, SAR against an empty apiGroup, and return 403 for every authenticated /v0/tasks call.

# Before                          # After
authorization:                    authorization:
  resourceAttributes:               resourceAttributes:
    group: sei.io        # wrong     apiGroup: sei.io     # correct
    resource: seinodetasks            resource: seinodetasks
    ...                               ...

The field name apiGroup matches kube-rbac-proxy's authz.ResourceAttributes struct in pkg/authz/auth.go. Note this is the proxy's config struct, not the K8s SubjectAccessReview API (which uses group). The two are distinct types with overlapping but non-identical field names; only the proxy's struct is the source of truth for what its config file accepts.

How it surfaced

Today's harbor nightly-load smoke test exercised the post-PR-#267 RBAC chain end-to-end for the first time. Symptoms:

  • Direct kubectl create subjectaccessreview with group=sei.io for the controller SA → allowed=true
  • Controller's POST to proxy's /v0/tasks403 Forbidden with body user=...controller-manager, verb=create, resource=seinodetasks, subresource=

Same user, same resource, same verb, opposite answers. The mismatch is the proxy's SAR using apiGroup="" (empty) because group: is an unknown field in its config struct.

Test plan

  • TestGenerateRBACProxyConfigMap_UsesApiGroup updated to assert apiGroup: sei.io
  • make test passes
  • After merge + image build + platform overlay bump: re-trigger harbor nightly-load cron, confirm both SNDs reach Ready (which requires every node's MarkReady to succeed through the proxy)

Deployment ordering

  1. Merge this PR
  2. CI builds + pushes new controller image
  3. Bump config/manager/manager.yaml (controller-repo PR) so the default image picks up the fix
  4. Bump platform overlays — at minimum harbor (currently pinned via manager-patch.yaml); prod/dev inherit from the controller's default

🤖 Generated with Claude Code

@bdchatham
fix(noderesource): use apiGroup in rbac-proxy config (not group)
0619bd1 
kube-rbac-proxy's authz.ResourceAttributes struct uses field name
apiGroup. Writing `group` made the proxy silently drop the field
and SAR with empty apiGroup, denying every authenticated request
on /v0/tasks with 403.

Surfaced by today's harbor nightly-load smoke test: SAR called
directly against the apiserver with group=sei.io returned allowed,
but the proxy's SAR (built from its own config struct) returned
denied — pointing at the field-name mismatch.
@cursor
Copy link
Copy Markdown

cursor Bot commented May 18, 2026

You have used all Bugbot PR reviews included in your free trial for your GitHub account on this workspace.

To continue using Bugbot reviews, enable Bugbot for your team in the Cursor dashboard.

@bdchatham bdchatham merged commit fceffde into main May 18, 2026
2 checks passed
@bdchatham bdchatham mentioned this pull request May 18, 2026
Merged
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@bdchatham