-
Notifications
You must be signed in to change notification settings - Fork 304
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Lower needed privileges for user namespaces #749
Comments
Thank you for opening your first issue in this project! Engagement like this is essential for open source projects! 🤗 |
I don't quite understand what you mean. If the hub needs permissions to create namespaces for users doesn't that require a ClusterRole? How would it be restricted? Do you have an example of an RBAC role you think is suitable? |
Basically, user can usually create a new namespace. (at least with default roles we use). Since this new namespace is created by the user, he has control over the namespace (list pods and so on). However, jupyterhub needs cluster role to list all objects at cluster scope which is not necessarry, it should list only individual namespaces the hub has created. This situation allows a user deploy only variant without user namespaces, he cannot deploy variant with user namespaces, because he cannot possess clusterrole allowing to list all cluster-scoped objects. Is it more clear now or should I try to explain better? |
Note, this request is not about adding/changing RBAC, code update would be needed to not list objects at cluster scope: kubespawner/kubespawner/reflector.py Line 270 in dbacf2b
|
I still don't understand. The Hub runs under a single K8s service account. The default in Z2JH is a Role which only works in a single namespace https://github.com/jupyterhub/zero-to-jupyterhub-k8s/blob/56c921de05ffeed559fe906972975856e4639cb6/jupyterhub/templates/hub/rbac.yaml#L2-L14 |
OK, so another attempt. Hub runs, e.g., in the namespace However, the service account still cannot list/get/delete pods from any namespace at cluster level and this is not desired. So, the current implementation of user namespaces requires cluster-role allowing to list pods from all namespaces, which cannot be allowed for ordinary user so he cannot deploy his own instance of jupyterhub with enabled user namespaces. The use case here is, that a user can run his own instance of jupyterhub with enabled user namespaces, but it does not mean that the hub should utilize user's namespaces. The hub can run in one of the user's namespaces and then the hub creates namespaces via the sevice accounts which allows the service account to access these new namespaces even without special clusterole. Don't you agree? |
Plus 1 on this since we are looking for a use case where users/team are separated by namespace to isolate all their notebooks specific to them. Other integrations as well are heavily reliant on service account like AWS IRSA or Hashicorp Vault. If there's a make_svc_account, this would improve management and lab experience. |
Proposed change
Currently, kubespawner requires rich cluster role permissions to get all pods and other objects when user namespaces are enabled. This makes it problematic to deploy to non-admins.
I believe the code could be changed so that only namespaces created by the hub are scanned, and no additional permissions are required for such namespaces. Would it be possible to make this change?
What do you think?
The text was updated successfully, but these errors were encountered: