Introduce an authorizer webhook whose sole purpose is to protect all managed resources from undesired modification (accidental or malicious).
When to enable?
- The webhook will be enabled by default (Check if an ability to disable the webhook is required)
Which resources does it protect from modification?
- PodCliqueScalingGroup & Scale subresource
- PodClique & Scale subresource
- Pod
- PodGang
- Secrets (token secret used by the init container)
- Service (headless service created per replica of PCS)
- ServiceAccount (used by init container)
- Role (used by init container)
- RoleBinding (used by init container)
All the above resources are managed by the Grove operator for every PodCliqueSet and ideally direct modifications to such resources are not required and should be prevented.
Who is allowed to make direct changes to managed resources and what changes are allowed?
Certain service accounts / technical users should be allowed to make changes to the above mentioned managed resources.
horizontal-pod-autoscaler ServiceAccount should be allowed to change the Scale subresource and nothing else.generic-garbage-collector ServiceAccount should be allowed garbage collect objects. This is the garbage collection run as part of KCM which cleans up resources that are no longer needed, such as orphaned objects (e.g., Pods, ReplicaSets, or other resources) that have no owner references or are no longer referenced by their parent objects. This sevice account should only be able to delete resources that are no longer needed (orphaned).- Reconciler service account used by Grove operator. This user can change everything.
- In case there are external autoscalers used (e.g. Planner from Dynamo) then its service account should be allowed to change the
scale subresource of PCS, PCSG, PCLQ.
Introduce an authorizer webhook whose sole purpose is to protect all managed resources from undesired modification (accidental or malicious).
When to enable?
Which resources does it protect from modification?
Who is allowed to make direct changes to managed resources and what changes are allowed?
Certain service accounts / technical users should be allowed to make changes to the above mentioned managed resources.
horizontal-pod-autoscalerServiceAccount should be allowed to change theScalesubresource and nothing else.generic-garbage-collectorServiceAccount should be allowed garbage collect objects. This is the garbage collection run as part of KCM which cleans up resources that are no longer needed, such as orphaned objects (e.g., Pods, ReplicaSets, or other resources) that have no owner references or are no longer referenced by their parent objects. This sevice account should only be able to delete resources that are no longer needed (orphaned).scalesubresource of PCS, PCSG, PCLQ.