Refactor tenant RBAC rules

[kvaps]

Signed-off-by: Andrei Kvapil kvapss@gmail.com

Summary by CodeRabbit

• New Features

  • Introduced new roles and role bindings for enhanced role-based access control, including specific permissions for viewing, using, and administering resources.
  • Added a new dashboard role for access to helm repositories and charts.

• Bug Fixes

  • Updated application version from 1.6.2 to 1.6.3.

• Chores

  • Updated version declarations for the tenant package in the versions map.

[coderabbitai]

Walkthrough

This pull request introduces version updates and significant RBAC (Role-Based Access Control) modifications for the tenant application. The changes include updating the chart version from 1.6.2 to 1.6.3 and restructuring Kubernetes roles and role bindings to provide more granular permission management. The version map has been updated to reflect these changes, with new version entries added for the tenant package.

Changes

File	Change Summary
packages/apps/tenant/Chart.yaml	Version bumped from 1.6.2 to 1.6.3
packages/apps/tenant/templates/tenant.yaml	Comprehensive RBAC restructuring: - Added multiple new Role and RoleBinding configurations - Introduced granular roles for view, use, admin, and super-admin permissions - Enhanced permission management for service accounts and groups
packages/apps/versions_map	Updated tenant package versions: - Added 1.6.2 ccedc5fe - Added 1.6.3 HEAD - Removed 1.6.2 HEAD

Sequence Diagram

sequenceDiagram
    participant User
    participant K8s as Kubernetes Cluster
    participant RBAC as Role-Based Access Control

    User->>RBAC: Request Access
    RBAC->>RBAC: Evaluate Roles
    alt View Permissions
        RBAC-->>User: Grant Read-Only Access
    else Use Permissions
        RBAC-->>User: Grant Limited Interaction
    else Admin Permissions
        RBAC-->>User: Grant Modify/Delete Rights
    else Super Admin Permissions
        RBAC-->>User: Grant Full Access
    end

Loading

Possibly related PRs

• Feature/add sso roles #480: Version update from 1.5.0 to 1.6.0 in Chart.yaml
• fix kubeconfig #515: Version update from 1.6.1 to 1.6.2 in Chart.yaml
• Fix super-admin role #516: Version update from 1.6.1 to 1.6.2 in Chart.yaml

Suggested labels

enhancement, lgtm

Poem

🐰 Roles dancing, versions prancing,
Permissions leaping with grace,
From 1.6.2 to 1.6.3 we go,
RBAC's magic leaves no trace!
Hop, hop, hooray for tenant's new way! 🚀

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR. (Beta)
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 0

🔭 Outside diff range comments (1)

packages/apps/tenant/templates/tenant.yaml (1)

Line range hint 17-66: Consider restricting default role permissions

The default role has broad permissions with "*" resource access. Consider:

1. Explicitly listing required resources instead of using wildcard
2. Adding explicit deny rules for sensitive operations

 rules:
-  - apiGroups: [""]
-    resources: ["*"]
+  - apiGroups: [""]
+    resources: ["pods", "services", "configmaps", "secrets"]
     verbs: ["get", "list", "watch", "create", "update", "patch"]

🧹 Nitpick comments (1)

packages/apps/tenant/templates/tenant.yaml (1)

Line range hint 216-310: Consider adding security controls for admin role

While the permissions are appropriate, consider enhancing security with:

1. Rate limiting annotations to prevent abuse
2. Audit logging configuration for tracking administrative actions

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between abc8f08 and cc09450.

📒 Files selected for processing (3)

• packages/apps/tenant/Chart.yaml (1 hunks)
• packages/apps/tenant/templates/tenant.yaml (7 hunks)
• packages/apps/versions_map (1 hunks)

✅ Files skipped from review due to trivial changes (1)

• packages/apps/tenant/Chart.yaml

🔇 Additional comments (5)

packages/apps/versions_map (1)

94-95: LGTM: Version updates are properly structured

The version progression from 1.6.2 to 1.6.3 is correctly implemented with appropriate commit references.

packages/apps/tenant/templates/tenant.yaml (4)

Line range hint 67-139: LGTM: View role follows principle of least privilege

The view role is well-structured with appropriate read-only permissions.

---

Line range hint 140-215: LGTM: Use role properly extends view permissions

The role correctly adds VM console/VNC access while maintaining read-only restrictions on other resources.

---

381-414: LGTM: Dashboard role properly restricts access

The role correctly provides limited access to Helm resources in the cozy-public namespace with appropriate group bindings.

---

Line range hint 311-380: Verify super-admin role usage and monitoring

The role has extensive permissions as expected for a super-admin. Ensure:

1. Access to this role is strictly controlled
2. Actions are monitored and logged

✅ Verification successful

Let's search for files containing super-admin references and analyze their content to verify the role configuration and its bindings.

---

Based on the search results, I can see that the super-admin role is well-defined in packages/apps/tenant/templates/tenant.yaml with appropriate RBAC controls. The role bindings show that access is restricted to specific groups and follows a hierarchical tenant structure. The role is used in other critical components like cluster management and CSI drivers, but always with proper service account configurations.

Super-admin role configuration is properly secured

The implementation follows Kubernetes RBAC best practices:

• Role bindings are namespace-scoped
• Group-based access control is implemented
• Hierarchical tenant structure is enforced through conditional bindings
• Service accounts using this role (e.g., in CSI, cluster-autoscaler) have limited scope

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Check for any existing RoleBindings to super-admin role
rg -A 5 "super-admin" | grep -B 2 -A 2 "RoleBinding"

Length of output: 50

---

Script:

#!/bin/bash
# Search for super-admin role definitions and bindings with more context
rg -l "super-admin"

# Then get detailed content of files containing super-admin
fd . -t f -x sh -c 'echo "=== {} ===" && cat {} | grep -A 10 -B 10 "super-admin"' \;

Length of output: 65736