From e94835576ab226f7ab59dd8bd5eb68a295bd59af Mon Sep 17 00:00:00 2001 From: ni9hty Date: Thu, 6 Nov 2025 10:16:55 +0100 Subject: [PATCH 1/6] Manual k8s group administrator --- cluster/cluster.yaml | 8 ++++++++ cluster/manifests/roles/cluster-admin-binding.yaml | 3 +++ 2 files changed, 11 insertions(+) diff --git a/cluster/cluster.yaml b/cluster/cluster.yaml index 8a750c601c..d4235b5b86 100644 --- a/cluster/cluster.yaml +++ b/cluster/cluster.yaml @@ -310,6 +310,14 @@ Resources: Type: "STANDARD" KubernetesGroups: - zalando:readonly + EKSAccessEntryManualAuth: + Type: "AWS::EKS::AccessEntry" + Properties: + ClusterName: !Ref EKSCluster + PrincipalArn: !Sub "arn:aws:iam::${AWS::AccountId}:role/Manual" + Type: "STANDARD" + KubernetesGroups: + - zalando:administrator EKSAddonPodIdentityAgent: Type: AWS::EKS::Addon Properties: diff --git a/cluster/manifests/roles/cluster-admin-binding.yaml b/cluster/manifests/roles/cluster-admin-binding.yaml index cfd1e01f90..496a75fc96 100644 --- a/cluster/manifests/roles/cluster-admin-binding.yaml +++ b/cluster/manifests/roles/cluster-admin-binding.yaml @@ -10,3 +10,6 @@ subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: okta:common/administrator +- apiGroup: rbac.authorization.k8s.io + kind: Group + name: zalando:administrator From daf5f00a291c0bd09a21c254b97dd31ae02b88a3 Mon Sep 17 00:00:00 2001 From: ni9hty Date: Thu, 6 Nov 2025 16:30:16 +0100 Subject: [PATCH 2/6] keep condition in e2e clusters --- cluster/cluster.yaml | 17 +++++++++-------- cluster/manifests/roles/poweruser-binding.yaml | 3 +++ 2 files changed, 12 insertions(+), 8 deletions(-) diff --git a/cluster/cluster.yaml b/cluster/cluster.yaml index d4235b5b86..d09e791bce 100644 --- a/cluster/cluster.yaml +++ b/cluster/cluster.yaml @@ -293,6 +293,15 @@ Resources: KubernetesGroups: - zalando:administrator Type: "STANDARD" +{{- else }} + EKSAccessEntryManualAuth: + Type: "AWS::EKS::AccessEntry" + Properties: + ClusterName: !Ref EKSCluster + PrincipalArn: !Sub "arn:aws:iam::${AWS::AccountId}:role/Manual" + Type: "STANDARD" + KubernetesGroups: + - zalando:engineer {{- end }} EKSAccessEntrySecurityAuth: Type: "AWS::EKS::AccessEntry" @@ -310,14 +319,6 @@ Resources: Type: "STANDARD" KubernetesGroups: - zalando:readonly - EKSAccessEntryManualAuth: - Type: "AWS::EKS::AccessEntry" - Properties: - ClusterName: !Ref EKSCluster - PrincipalArn: !Sub "arn:aws:iam::${AWS::AccountId}:role/Manual" - Type: "STANDARD" - KubernetesGroups: - - zalando:administrator EKSAddonPodIdentityAgent: Type: AWS::EKS::Addon Properties: diff --git a/cluster/manifests/roles/poweruser-binding.yaml b/cluster/manifests/roles/poweruser-binding.yaml index 4e0ca180c2..5f56edbc6f 100644 --- a/cluster/manifests/roles/poweruser-binding.yaml +++ b/cluster/manifests/roles/poweruser-binding.yaml @@ -24,3 +24,6 @@ subjects: - kind: Group name: "okta:common/engineer" apiGroup: rbac.authorization.k8s.io +- kind: Group + name: "zalando:engineer" + apiGroup: rbac.authorization.k8s.io From d448874a5bccc4ab46f64e7bd1986e9f4962fd05 Mon Sep 17 00:00:00 2001 From: ni9hty Date: Thu, 6 Nov 2025 16:32:15 +0100 Subject: [PATCH 3/6] remove admin binding --- cluster/manifests/roles/cluster-admin-binding.yaml | 3 --- 1 file changed, 3 deletions(-) diff --git a/cluster/manifests/roles/cluster-admin-binding.yaml b/cluster/manifests/roles/cluster-admin-binding.yaml index 496a75fc96..cfd1e01f90 100644 --- a/cluster/manifests/roles/cluster-admin-binding.yaml +++ b/cluster/manifests/roles/cluster-admin-binding.yaml @@ -10,6 +10,3 @@ subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: okta:common/administrator -- apiGroup: rbac.authorization.k8s.io - kind: Group - name: zalando:administrator From ec91e26d7a395ecc77da40664f6dce34a3b5a100 Mon Sep 17 00:00:00 2001 From: ni9hty Date: Fri, 7 Nov 2025 09:49:07 +0100 Subject: [PATCH 4/6] add missing engineer permissions --- cluster/manifests/02-admission-control/teapot.yaml | 3 ++- cluster/manifests/role-sync-controller/cronjob.yaml | 1 + cluster/manifests/roles/readonly-binding.yaml | 6 ++++++ 3 files changed, 9 insertions(+), 1 deletion(-) diff --git a/cluster/manifests/02-admission-control/teapot.yaml b/cluster/manifests/02-admission-control/teapot.yaml index 22442ea1c3..d05b234a98 100644 --- a/cluster/manifests/02-admission-control/teapot.yaml +++ b/cluster/manifests/02-admission-control/teapot.yaml @@ -634,7 +634,8 @@ webhooks: - name: 'allow-routesrv-routes-access' expression: | !( - "okta:common/engineer" in request.userInfo.groups && + ("okta:common/engineer" in request.userInfo.groups) || + ("zalando:engineer" in request.userInfo.groups) && request.name == "skipper-ingress-routesrv" && request.resource.resource == "services" && request.subResource == "proxy" && diff --git a/cluster/manifests/role-sync-controller/cronjob.yaml b/cluster/manifests/role-sync-controller/cronjob.yaml index 25b4598bd2..5ca521e894 100644 --- a/cluster/manifests/role-sync-controller/cronjob.yaml +++ b/cluster/manifests/role-sync-controller/cronjob.yaml @@ -39,6 +39,7 @@ spec: - --subject-group=Manual - --subject-group=Emergency - --subject-group=okta:common/engineer + - --subject-group=zalando:engineer - --subject-serviceaccount=default/cdp - --subject-user=zalando-iam:zalando:service:k8sapi-local_deployment-service-executor {{- if eq .Cluster.Environment "test"}} diff --git a/cluster/manifests/roles/readonly-binding.yaml b/cluster/manifests/roles/readonly-binding.yaml index d1aaed8b30..88e172e538 100644 --- a/cluster/manifests/roles/readonly-binding.yaml +++ b/cluster/manifests/roles/readonly-binding.yaml @@ -22,6 +22,9 @@ subjects: - kind: Group name: "zalando:readonly" apiGroup: rbac.authorization.k8s.io + - kind: Group + name: "zalando:engineer" + apiGroup: rbac.authorization.k8s.io --- kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 @@ -48,3 +51,6 @@ subjects: - kind: Group name: "zalando:readonly" apiGroup: rbac.authorization.k8s.io + - kind: Group + name: "zalando:engineer" + apiGroup: rbac.authorization.k8s.io From cad1df05d9bd5c1996ff9cb497d7de1d4193dc7f Mon Sep 17 00:00:00 2001 From: ni9hty Date: Fri, 7 Nov 2025 17:19:10 +0100 Subject: [PATCH 5/6] commit suggestion --- cluster/manifests/02-admission-control/teapot.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cluster/manifests/02-admission-control/teapot.yaml b/cluster/manifests/02-admission-control/teapot.yaml index d05b234a98..9842e49361 100644 --- a/cluster/manifests/02-admission-control/teapot.yaml +++ b/cluster/manifests/02-admission-control/teapot.yaml @@ -634,8 +634,8 @@ webhooks: - name: 'allow-routesrv-routes-access' expression: | !( - ("okta:common/engineer" in request.userInfo.groups) || - ("zalando:engineer" in request.userInfo.groups) && + "okta:common/engineer" in request.userInfo.groups || + "zalando:engineer" in request.userInfo.groups && request.name == "skipper-ingress-routesrv" && request.resource.resource == "services" && request.subResource == "proxy" && From b3bd7b8ec7faa3a08202edc7dea21b64a2c3d41e Mon Sep 17 00:00:00 2001 From: ni9hty Date: Mon, 10 Nov 2025 09:46:25 +0100 Subject: [PATCH 6/6] fix suggestion --- cluster/manifests/02-admission-control/teapot.yaml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/cluster/manifests/02-admission-control/teapot.yaml b/cluster/manifests/02-admission-control/teapot.yaml index 9842e49361..449c1101f1 100644 --- a/cluster/manifests/02-admission-control/teapot.yaml +++ b/cluster/manifests/02-admission-control/teapot.yaml @@ -634,8 +634,10 @@ webhooks: - name: 'allow-routesrv-routes-access' expression: | !( - "okta:common/engineer" in request.userInfo.groups || - "zalando:engineer" in request.userInfo.groups && + ( + "okta:common/engineer" in request.userInfo.groups || + "zalando:engineer" in request.userInfo.groups + ) && request.name == "skipper-ingress-routesrv" && request.resource.resource == "services" && request.subResource == "proxy" &&