Introduce the Authroizer Webhook.#214
Merged
Merged
Conversation
* WIP changes for authorizer webhook. Signed-off-by: madhav bhargava <madhav.bhargava@sap.com>
Signed-off-by: Saketh Kalaga <saketh.kalaga@sap.com>
* Minor refactoring of method signatures in the handler. * Added labels for authorizer webhook in values.yaml and also in helpers.tpl Signed-off-by: Madhav Bhargava <madhav.bhargava@sap.com>
Signed-off-by: Saketh Kalaga <saketh.kalaga@sap.com>
* `UPDATE` operations were using `Object` instead of `OldObject`. Since the labels on the resources are used to establish that a resource is managed by Grove, if an update operation modifies these labels, then Grove would be unable to ascertain these objects are managed by Grove, and unwanted operations might be admitted. To prevent this, `OldObject` is used instead. * `ValidatingWebhookConfiguration` for the authorizer webhook now has a seperate rule for pods, which registers only `UPDATE` operations. `DELETE` operations must be admitted always, as pods might need to be deleted during some point in their lifecycle for various reasons. Signed-off-by: Saketh Kalaga <saketh.kalaga@sap.com>
* There is no reason to decode `Scale` kinds, since these are only created for the `podcliques`, and `podcliquescalinggroups` resources. Finding the parent resource does not add any information in deciding whether the request is to be admitted or rejected. Therefore, if the Kind is `Scale`, the `User` is checked, and the request is admitted or denied. * Explicit check to verify a resource is managed by druid or not is removed. This is unnecessary since the requests that the webhook receives are already filtered by the `objectSelector` in `ValidatingWebhookConfiguration`. Signed-off-by: Saketh Kalaga <saketh.kalaga@sap.com>
Signed-off-by: Saketh Kalaga <saketh.kalaga@sap.com>
Signed-off-by: Madhav Bhargava <madhav.bhargava@sap.com>
* `/scale` events are not handled anymore by the webhook. The actor needs to have RBAC to scale the `podcliques`, and `podcliquescalinggroups` subresources. * Introduce a `handleCreate()` in the authorizer webhook that handles create operations of resources managed by the Grove operator. Only the operator service account has permission to create these resources. Signed-off-by: Saketh Kalaga <saketh.kalaga@sap.com>
Signed-off-by: Saketh Kalaga <saketh.kalaga@sap.com>
Signed-off-by: Saketh Kalaga <saketh.kalaga@sap.com>
Signed-off-by: Saketh Kalaga <saketh.kalaga@sap.com>
* Authorizer webhook is enabled by default in `values.yaml`. * Remove `isEnabled` for validation and defaulting webhooks from `values.yaml` Signed-off-by: Saketh Kalaga <saketh.kalaga@sap.com>
unmarshall
requested changes
Oct 8, 2025
…nology, remove an unnecessary file. Signed-off-by: Saketh Kalaga <saketh.kalaga@sap.com>
* `AuthorizerConfig.ReconcilerServiceAccountUserName` is removed from the `OperatorConfiguration` since it is redundant. This can be inferred through `DownwardAPI`, and reduces configuration required from the user. * Remove validations for `AuthorizerConfig.ReconcilerServiceAccountUserName`. * Include `GROVE_OPERATOR_SERVICE_ACCOUNT_NAME` environment vairable in the grove operator deployment. * Construct the serviceaccount username from the GROVE_OPERATOR_SERVICE_ACCOUNT_NAME` environment variable, and the namespace file with filepath defined in `constants.OperatorNamespaceFile`. Signed-off-by: Saketh Kalaga <saketh.kalaga@sap.com>
Signed-off-by: Saketh Kalaga <saketh.kalaga@sap.com>
unmarshall
approved these changes
Oct 9, 2025
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What type of PR is this?
/kind feature
What this PR does / why we need it:
This PR introduces the authorizer webhook, which protects resources created/managed by the grove-operator.
This webhook enforces the user to only modify the API that grove exposes to its consumers, which is the
PodCliqueSet.PodCliqueandPodCliqueScalingGroupresources are not intended for direct modification by the user, and thus are protected by the authorizer webhook now.This user is the reconciler of the grove-operator, and has all access to all resources. It can perform all operations on resources managed by grove-operator.
generic-garbage-collectorserviceaccount is exempted since this serviceaccount is used for garbage collection of orphaned resources.PodCliqueSetresource, based on the RBAC the user has.grove.io/disable-managed-resource-protectionannotation, which can be added toPodCliqueSetresources, which will cause the authorizer webhook to stop taking action on that particularPodCliqueSet. This feature is useful when a particularPodCliqueSetends up in an undesired state, and cluster administrators would like to take explicit action to fix thePodCliqueSetand its child resources.Which issue(s) this PR fixes:
Fixes #202
Special notes for your reviewer:
Does this PR introduce a API change?
Additional documentation e.g., enhancement proposals, usage docs, etc.: