Is your feature request related to a problem? Please describe.
I'm looking into the cert-manager permissions requirements at cluster-scope and would like to reduce them to a namespace, if possible.
Currently, the cert-manager controller depends on a cluster-scope SubjectAccessReview which also requires cluster-wide permissions. The need of the is described here: https://github.com/cert-manager/cert-manager/blob/c376bc495c8bb7f710155634ca919e65e134b33e/design/20190708.certificate-request-crd.md#rbac
Access to LocalSubjectAccessReviews can be granted by an Role and does not need a ClusterRole
|
resp, err := c.sarClient.Create(ctx, &authzv1.SubjectAccessReview{ |
|
Spec: authzv1.SubjectAccessReviewSpec{ |
|
User: csr.Spec.Username, |
|
Groups: csr.Spec.Groups, |
|
Extra: extra, |
|
UID: csr.Spec.UID, |
|
|
|
ResourceAttributes: &authzv1.ResourceAttributes{ |
|
Group: certmanager.GroupName, |
|
Resource: "signers", |
|
Verb: "reference", |
|
Namespace: issuerNamespace, |
|
Name: name, |
|
Version: "*", |
|
}, |
|
}, |
|
}, metav1.CreateOptions{}) |
|
if err != nil { |
|
return false, err |
|
} |
|
|
|
if resp.Status.Allowed { |
|
return true, nil |
|
} |
Describe the solution you'd like
If cert-manager runs in namespace only mode, LocalSubjectAccessReview could be used instead SubjectAccessReview. Since request permissions for the local namespace is sufficent.
Describe alternatives you've considered
N/A
Additional context
Environment details (remove if not applicable):
- Kubernetes version: 1.28
- Cloud-provider/provisioner: AKS
- cert-manager version: 1.14
- Install method: e.g. helm
/kind feature
Is your feature request related to a problem? Please describe.
I'm looking into the cert-manager permissions requirements at cluster-scope and would like to reduce them to a namespace, if possible.
Currently, the cert-manager controller depends on a cluster-scope SubjectAccessReview which also requires cluster-wide permissions. The need of the is described here: https://github.com/cert-manager/cert-manager/blob/c376bc495c8bb7f710155634ca919e65e134b33e/design/20190708.certificate-request-crd.md#rbac
Access to LocalSubjectAccessReviews can be granted by an Role and does not need a ClusterRole
cert-manager/pkg/controller/certificatesigningrequests/sync.go
Lines 181 to 204 in c376bc4
Describe the solution you'd like
If cert-manager runs in namespace only mode, LocalSubjectAccessReview could be used instead SubjectAccessReview. Since request permissions for the local namespace is sufficent.
Describe alternatives you've considered
N/A
Additional context
Environment details (remove if not applicable):
/kind feature