Enable a namespaced mode for the crossplane controller pod

[frigaut-orange]

What problem are you facing?

Note : I run a crossplane controller pod, without the rbac-manager sidecar.

For now, the crossplane controller asks a lot of cluster-wide permissions on kubernetes-native resources.

Crossplane output logs and crashes when it does not have cluster-wide list and watch permissions on deployments, serviceaccounts, services, and secrets. The Helm Chart also adds permissions on ConfigMaps, but the controller runs fine even without it.

The init container runs and completes just fine.

Current minimal required permissions for the controller to work properly (no logs, starts and runs fine)

Crossplane ClusterRole

---
# Cropped and reorganized ClusterRole, to display only relevant info for this issue
- apiGroups:
  - ""
  resources:
  - serviceaccounts
  - services
  - secrets
  verbs:
  - list
  - watch
- apiGroups:
  - extensions
  - apps
  resources:
  - deployments
  verbs:
  - list
  - watch

What if we remove these permissions ?

Explanation on why this feature is not yet supported

Then wee see the logs. Example:

2025-03-20T09:38:03Z    ERROR   crossplane      Unhandled Error {"logger": "UnhandledError", "error": "pkg/mod/k8s.io/client-go@v0.31.2/tools/cache/reflector.go:243: Failed to watch *v1.ServiceAccount: failed to list *v1.ServiceAccount: serviceaccounts is forbidden: User \"system:serviceaccount:test-crossplane-ns:crossplane\" cannot list resource \"serviceaccounts\" in API group \"\" at the cluster scope"}
k8s.io/client-go/tools/cache.(*Reflector).Run.func1
        /go/pkg/mod/k8s.io/client-go@v0.31.2/tools/cache/reflector.go:308
k8s.io/apimachinery/pkg/util/wait.BackoffUntil.func1
        /go/pkg/mod/k8s.io/apimachinery@v0.31.2/pkg/util/wait/backoff.go:226
k8s.io/apimachinery/pkg/util/wait.BackoffUntil
        /go/pkg/mod/k8s.io/apimachinery@v0.31.2/pkg/util/wait/backoff.go:227
k8s.io/client-go/tools/cache.(*Reflector).Run
        /go/pkg/mod/k8s.io/client-go@v0.31.2/tools/cache/reflector.go:306
k8s.io/client-go/tools/cache.(*controller).Run.(*Group).StartWithChannel.func2
        /go/pkg/mod/k8s.io/apimachinery@v0.31.2/pkg/util/wait/wait.go:55
k8s.io/apimachinery/pkg/util/wait.(*Group).Start.func1
        /go/pkg/mod/k8s.io/apimachinery@v0.31.2/pkg/util/wait/wait.go:72

The same logs appear for Secrets, Deployments, and Services. Also crossplane is not deployed in a crossplane-system namespace, but I don't think it's relevant.

Then, the crossplane pod crashes (enters CrashLoopBackOff) with the last log being :

crossplane: error: cannot start controller manager: failed to wait for usage/usage.apiextensions.crossplane.io caches to sync: timed out waiting for cache to be synced for Kind *v1beta1.Usage

It looks like all these errors cause too much stress on the cache controller and makes it crash. I don't know if it's a matter of performance / resources allocated to the pod, but it may certainly be a concern.

When removing the "watch" verb only, the logs are still produced but the pod doesn't crash. However, creating a Provider resource does not trigger anything.

Hence, we can say that the "namespaced" controller is not supported.

We would like to have this feature, because the list verb enable commands such as :

kubectl get secrets -n test-namespace-1 --as "system:serviceaccount:test-crossplane-ns:crossplane" --as-group "system:authenticated" -oyaml

Which returns the content of all the secrets of a namespace (even without get permissions).

How could Crossplane help solve your problem?

• Adapt the core controller's code to watch namespaced resources only in crossplane's namespace, not cluster-wide.
• Change the crossplane ClusterRole generated by the Helm Chart in order to remove permissions on Services, ServiceAccounts, Secrets, Deployments and Configmaps.
• Update the corresponding design doc to reflect these changes (if necessary ?)

I don't know if there are use cases with Crossplane for it to require the current permissions. If so :

• Add a --namespaced option to the controller and the Helm Chart in order for it to watch kubernetes-native resources only in its namespace

Additional notes

• The problematic resources are the ones native to kubernetes, not crossplane. I make this precision in the light of crossplane v2 where crossplane-related resources might get namespaced at some point.
• A similar issue exists here. I felt like it was not a bug and rather and enhancement so I created this issue, but let me know if this is a duplicate and if I should delete it.
• I can't add labels to this issue but it is related to security

[frigaut-orange]

I have tried a basic implementation to solve this issue, here is my proposal :

Add a `NamespaceRestricted` option to the core command

// cmd/crossplane/core/core.go:108
NamespaceRestricted                 bool `default:"false" env:"NAMESPACE_RESTRICTED"                   help:"Restrict resources watched by the controller to its own namespace."`

The idea of this option is to add compatibility to the core pod with restrictive permissions. The core should then work with permissions like these :

rules:
- apiGroups:
  - apiextensions.k8s.io
  resources:
  - customresourcedefinitions
  - customresourcedefinitions/status
  verbs:
  - '*'
- apiGroups:
  - apiextensions.crossplane.io
  - pkg.crossplane.io
  - secrets.crossplane.io
  resources:
  - '*'
  verbs:
  - '*'

To achieve this, I :

Configured the cache client to look only in its own namespace

@@ -158,11 +159,20 @@ func (c *startCommand) Run(s *runtime.Scheme, log logging.Logger) error { //noli
        // The claim and XR controllers don't use the manager's cache or client.
        // They use their own. They're setup later in this method.
        eb := record.NewBroadcaster()
+       cacheOptions := cache.Options{
+               SyncPeriod: &c.SyncInterval,
+       }
+       if c.NamespaceRestricted {
+               // This makes the cache controller watch resources only in crossplane's namespace.
+               // Otherwise, it tries to watch resources in all namespaces, and crashes if the
+               // ServiceAccount doesn't have enough permissions.
+               cacheOptions.DefaultNamespaces = map[string]cache.Config{
+                       c.Namespace: {},
+               }
+       }
        mgr, err := ctrl.NewManager(ratelimiter.LimitRESTConfig(cfg, c.MaxReconcileRate), ctrl.Options{
                Scheme: s,
-               Cache: cache.Options{
-                       SyncPeriod: &c.SyncInterval,
-               },
+               Cache:  cacheOptions,

Made the ProviderRevision and FunctionRevision controllers watch namespaced resources only if the option is disabled

--- a/internal/controller/pkg/revision/reconciler.go
+++ b/internal/controller/pkg/revision/reconciler.go
@@ -310,10 +310,6 @@ func SetupProviderRevision(mgr ctrl.Manager, o controller.Options) error {
        cb := ctrl.NewControllerManagedBy(mgr).
                Named(name).
                For(&v1.ProviderRevision{}).
-               Owns(&appsv1.Deployment{}).
-               Owns(&corev1.Service{}).
-               Owns(&corev1.Secret{}).
-               Owns(&corev1.ServiceAccount{}).
                Watches(&v1alpha1.ControllerConfig{}, &EnqueueRequestForReferencingProviderRevisions{
                        client: mgr.GetClient(),
                }).
@@ -335,6 +331,13 @@ func SetupProviderRevision(mgr ctrl.Manager, o controller.Options) error {
                WithFeatureFlags(o.Features),
        }

+       if !o.NamespaceRestricted {
+               cb = cb.Owns(&appsv1.Deployment{}).
+                       Owns(&corev1.Service{}).
+                       Owns(&corev1.Secret{}).
+                       Owns(&corev1.ServiceAccount{})
+       }
+
        if o.PackageRuntime == controller.PackageRuntimeDeployment {
                ro = append(ro, WithRuntimeHooks(NewProviderHooks(mgr.GetClient(), o.DefaultRegistry)))

@@ -424,10 +427,6 @@ func SetupFunctionRevision(mgr ctrl.Manager, o controller.Options) error {
        cb := ctrl.NewControllerManagedBy(mgr).
                Named(name).
                For(&v1.FunctionRevision{}).
-               Owns(&appsv1.Deployment{}).
-               Owns(&corev1.Service{}).
-               Owns(&corev1.Secret{}).
-               Owns(&corev1.ServiceAccount{}).
                Watches(&v1alpha1.ControllerConfig{}, &EnqueueRequestForReferencingFunctionRevisions{
                        client: mgr.GetClient(),
                }).
@@ -449,6 +448,13 @@ func SetupFunctionRevision(mgr ctrl.Manager, o controller.Options) error {
                WithFeatureFlags(o.Features),
        }

+       if !o.NamespaceRestricted {
+               cb = cb.Owns(&appsv1.Deployment{}).
+                       Owns(&corev1.Service{}).
+                       Owns(&corev1.Secret{}).
+                       Owns(&corev1.ServiceAccount{})
+       }
+

TL;DR the consequences of the NamespaceRestricted option would be :

• The manager's cache would only check object in crossplane's namespace
• The ProviderRevision controller and FunctionRevision controller would no longer own Deployments, Services, Secrets and ServiceAccounts. I'm not sure about the consequences of this, but in my tests, installing a provider still results in the ownerReferences field in the Deployment to be correctly added.

Would that be a valid solution to this issue ?

[negz]

@frigaut-orange Sorry, I had this saved to follow up but forgot!

I don't understand the part about provider and function revisions. Isn't it still okay for them to own these things, as long as it's restricted to a single namespace (i.e. only in Crossplane-system)?

For next steps, I'd suggest one of:

• Open a PR to add a brief design proposal (one pager) under design/
• Open a draft PR to illustrate the direction you've taken with your current basic implementation

[frigaut-orange]

No worries! Thank you, I will open PRs as suggested.

The Provider and Function revision controllers can still own said resources indeed, I thought this was part of the issue, but it turns out only the cache causes crashes. I will recap everything in the design proposal anyway.

[frigaut-orange]

Update : I splitted the implementation PR into smaller, feature-focused PRs:

• Add an option to prevent caching of resources in other namespaces #6732 fixes the bug which makes crossplane crash
• Add option to prevent events from being emitted in default namespace #6733 adds an options to prevent events from being created in the default namespace

Another PR can be made afterwards for a more global namespace-restricted option.

[github-actions]

Crossplane does not currently have enough maintainers to address every issue and pull request. This issue has been automatically marked as stale because it has had no activity in the last 90 days. It will be closed in 14 days if no further activity occurs. Leaving a comment starting with /fresh will mark this issue as not stale.

[frigaut-orange]

/fresh