fix(helm): resolve RBAC permissions for namespaced gateway sources #5578
Conversation
k8s-ci-robot
added
cncf-cla: yes
k8s-ci-robot
added
the
needs-ok-to-test
|
Hi @u-kai. Thanks for your PR. I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
k8s-ci-robot
added
the
size/L
| - --namespace={{ .Release.Namespace }} | ||
| {{- end }} | ||
| {{- if .Values.gatewayNamespace }} | ||
| - --gateway-namespace={{ .Values.gatewayNamespace }} |
There was a problem hiding this comment.
I think one of the issues is, that Gateway actually uses --gateway-namespace when it should be unified and --namespace is just enough. This is just a confusion.
|
@ivankatliarchuk The separate The flag already exists in the external-dns, so this change maintains consistency with the existing CLI interface while fixing the RBAC permissions for namespaced deployments. |
|
/ok-to-test |
k8s-ci-robot
added
ok-to-test
|
I found an initial PR #2292 As short term it seems like a fix. But not clear Long term solutions are
In my opinion, if |
|
Related issues:
|
k8s-ci-robot
added
size/XL
k8s-ci-robot
added
size/L
|
@ivankatliarchuk That said, I’d like to clarify one point — does this proposal also imply deprecating or integrating the If so, my personal opinion is that In such cases, having a dedicated So in conclusion, I’m in favor of enabling multi-namespace support for |
|
@mloiseleur wdyt? |
|
In External DNS doc on flags, it says:
With current state of External DNS, this PR looks valid to me. It allows user to use the same namespace or different namespace, with similar names between the binary and the chart. For instance, a user may want to use external dns CRD on external-dns namespace and Gateway on gateway namespaces. @ivankatliarchuk An answer to your idea would be to implement a |
There was a problem hiding this comment.
@u-kai About the implementation, why are you adding a specific ClusterRole and ClusterRoleBinding ? Wouldn't it be simpler to use the same CR & CRB with just extended required permissions ?
|
Make sense |
|
@mloiseleur Let me explain the implementation. For Technical Requirements:
Implementation Approach:
This design grants exactly the permissions needed for each scenario while maintaining security isolation. |
|
/assign @stevehipwell |
There was a problem hiding this comment.
Thanks for the PR @u-kai. I've added a comment suggesting an improvement but as I'd like to include this in the next release we can leave that for the next time we need to make changes.
/approve
| Check if any Gateway API sources are enabled | ||
| */}} | ||
| {{- define "external-dns.hasGatewaySources" -}} | ||
| {{- if or (has "gateway-httproute" .Values.sources) (has "gateway-grpcroute" .Values.sources) (has "gateway-tlsroute" .Values.sources) (has "gateway-tcproute" .Values.sources) (has "gateway-udproute" .Values.sources) -}} |
There was a problem hiding this comment.
Why not use hasPrefix in a range loop so the code is less likely to need updating in the future?
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: stevehipwell The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
|
@mloiseleur @ivankatliarchuk could one of you please add the LGTM if you're happy with this? |
…ubernetes-sigs#5578) * fix(helm): resolve RBAC permissions for namespaced gateway sources * feat(helm): add support for gateway namespace in RBAC configuration * chore(helm): update docs and fix formatting issues * fix(helm): revert README changes and add gatewayNamespace docs * chore lint fmt
5 participants
What does it do ?
This PR resolves RBAC permission issues when using Gateway API sources with
namespaced: trueconfiguration in the Helm chart.It implements proper conditional RBAC creation that supports both same-namespace and cross-namespace gateway access scenarios while maintaining backward compatibility.
Motivation
Fixes #5300 - Gateway API sources require ClusterRole permissions when using
namespaced: true, but the current implementation creates insufficient Role permissions, causing external-dns to fail with RBAC errors.Problem: When
namespaced: trueis set with gateway sources, external-dns needs:namespacesresource)gatewayNamespaceconfiguration)Root Cause: The namespace informer uses
NamespacesFromSelectorfunctionality which requires cluster-wide namespace access, butnamespaced: trueonly creates Role permissions.Solution
Implements Split RBAC approach with conditional logic:
Scenarios Supported:
namespaced=false+ gateway sources → ClusterRole with all permissionsnamespaced=true+ gateway sources + nogatewayNamespace→ Main Role (with gateway permissions) + ClusterRole for namespacesnamespaced=true+ gateway sources +gatewayNamespacespecified → Main Role + ClusterRole for namespaces + Cross-namespace Gateway Rolenamespaced=false/true+ no gateway sources → Standard behavior (unchanged)More