Description
Hello,
Currently, Onyxia creates the full_control_namespace RoleBinding in every namespaces it creates, using the hardcoded admin ClusterRole :
This behavior is not always desirable, and when it is, the aggregated ClusterRole admin can be more permissive than necessary. Is it possible to mitigate this, for instance by :
- adding a flag to toggle the creation of the
full_control_namespaceRoleBinding by Onyxia - allowing to change the ClusterRole referenced in
full_control_namespace - removing this entirely, if it is no longer useful for anyone
Thanks !
EDIT : I realize I didn't even mention the main issue at hand. The hardcoded reference to the admin ClusterRole has a direct impact on Onyxia configuration. Whenever the Kubernetes cluster running Onyxia adds a new operator (or otherwise "registers" any new CRD on the aggregated view/edit/admin ClusterRoles), the relevant RBAC permissions must be added to a ClusterRole binded to the ServiceAccount running onyxia-api. Failing to do so triggers errors on the onboarding endpoint, when it tries to patch the full_control_namespace RoleBinding, which in turns makes onyxia-web unusable (alert with 500 error on the homepage).
For instance, after installing External Secrets Operator in our cluster, we could see the following in onyxia-api's logs :
2025-01-29T09:03:51.484Z ERROR 27 --- [nio-8080-exec-3] o.a.c.c.C.[.[.[.[dispatcherServlet] : Servlet.service() for servlet [dispatcherServlet] in context with path [/api] threw exception [Request processing failed: io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: POST at: https://redacted:443/apis/rbac.authorization.k8s.io/v1/namespaces/redacted/rolebindings. Message: rolebindings.rbac.authorization.k8s.io "full_control_namespace" is forbidden: user "system:serviceaccount:onyxia:onyxia-api" (groups=["system:serviceaccounts" "system:serviceaccounts:onyxia" "system:authenticated"]) is attempting to grant RBAC permissions not currently held:
{APIGroups:["external-secrets.io"], Resources:["clustersecretstores"], Verbs:["create" "delete" "deletecollection" "patch" "update" "get" "watch" "list"]}
{APIGroups:["external-secrets.io"], Resources:["externalsecrets"], Verbs:["create" "delete" "deletecollection" "patch" "update" "get" "watch" "list"]}
{APIGroups:["external-secrets.io"], Resources:["pushsecrets"], Verbs:["create" "delete" "deletecollection" "patch" "update" "get" "watch" "list"]}
{APIGroups:["external-secrets.io"], Resources:["secretstores"], Verbs:["create" "delete" "deletecollection" "patch" "update" "get" "watch" "list"]}
{APIGroups:["generators.external-secrets.io"], Resources:["acraccesstokens"], Verbs:["create" "delete" "deletecollection" "patch" "update" "get" "watch" "list"]}
{APIGroups:["generators.external-secrets.io"], Resources:["clustergenerators"], Verbs:["create" "delete" "deletecollection" "patch" "update" "get" "watch" "list"]}
{APIGroups:["generators.external-secrets.io"], Resources:["ecrauthorizationtokens"], Verbs:["create" "delete" "deletecollection" "patch" "update" "get" "watch" "list"]}
{APIGroups:["generators.external-secrets.io"], Resources:["fakes"], Verbs:["create" "delete" "deletecollection" "patch" "update" "get" "watch" "list"]}
{APIGroups:["generators.external-secrets.io"], Resources:["gcraccesstokens"], Verbs:["create" "delete" "deletecollection" "patch" "update" "get" "watch" "list"]}
{APIGroups:["generators.external-secrets.io"], Resources:["githubaccesstokens"], Verbs:["create" "delete" "deletecollection" "patch" "update" "get" "watch" "list"]}
{APIGroups:["generators.external-secrets.io"], Resources:["passwords"], Verbs:["create" "delete" "deletecollection" "patch" "update" "get" "watch" "list"]}
{APIGroups:["generators.external-secrets.io"], Resources:["quayaccesstokens"], Verbs:["create" "delete" "deletecollection" "patch" "update" "get" "watch" "list"]}
{APIGroups:["generators.external-secrets.io"], Resources:["vaultdynamicsecrets"], Verbs:["create" "delete" "deletecollection" "patch" "update" "get" "watch" "list"]}
{APIGroups:["generators.external-secrets.io"], Resources:["webhooks"], Verbs:["create" "delete" "deletecollection" "patch" "update" "get" "watch" "list"]}.