Kubernetes Permissions
This section documents the different components of the Signadot Operator with a description of their functionality and usage of permissions that they request.
The roles specified below are cluster-wide unless stated otherwise. Sandboxes can be created to test different versions of Kubernetes workloads that are running in different namespaces within a Kubernetes cluster. When a Sandbox is created, it forks a specified "baseline" workload and creates a modified version for testing in the same namespace. This is required to ensure that it can function correctly by attaching the same secrets and configmaps as the baseline workload.
Agent
The Agent component connects to the Signadot control plane and is responsible for creating an encrypted tunnel between the control plane and your cluster. It enables the creation and management of Sandboxes.
| Resources | Permissions | Description |
|---|---|---|
| SignadotSandboxes SignadotRouteGroups Resources SignadotExternalWorkloads SignadotObjectLifecycleMethods SignadotRoutes ForkedWorkloads RoutingConfigs IstioRoutes | read / write | Used to declaratively specify Signadot Sandboxes (with their attached Resources) and the Routing for those Sandboxes. |
| Pods Pods/log Services | read | Monitoring and reporting status of pods / services that belong within a Sandbox. |
| ConfigMaps | read | Used to enable users to read ConfigMaps associated with workloads running within a Sandbox via the Signadot Dashboard. |
| Namespaces | read | Used to obtain a list of namespaces to present options when creating Sandboxes via the Dashboard. |
| Events | read / write | Used to create Kubernetes events for reporting status from the Signadot operator. |
| Deployments Replicasets Argo Rollouts | read | Reporting runtime information of workloads running within each Sandbox. |
Route Server
The Route Server component is responsible for serving specific routes corresponding to a particular Sandbox. These routes ensure that requests intended for a particular Sandbox reach it correctly.
| Resources | Permissions | Description |
|---|---|---|
| RoutingConfig | read | The route server reads from instances of the RoutingConfig CRD to determine valid Sandbox routes. |
Tunnel API
The Tunnel API component provides a GRPC service for coordinating workstation interactions with the cluster.
| Resources | Permissions | Description |
|---|---|---|
| Services | read | The Tunnel API reads services to provide network information to connected workstations |
| ConfigMaps | read | The Tunnel API reads ConfigMaps in the signadot namespace for accessing its configuration |
| SignadotSandboxes | read | The Tunnel API reads SignadotSandboxes to coordinate interactions with connected workstations |
Tunnel Proxy
The Tunnel Proxy component provides a SOCKS5 proxy for connected workstations to access networking from within the cluster. It also manages tunnels carrying traffic from the cluster to workstations, so that workstations receive requests associated with a Sandbox.
| Resources | Permissions | Description |
|---|---|---|
| SignadotExternalWorkloads | read/write | The tunnel proxy has read/write access to SignadotExternalWorkloads (which are namespaced) in order to coordinate tunnel connections with workstations. |
Controller Manager
The Controller Manager component is responsible for setting up all resources associated with a Sandbox. This includes forking a workload (Deployment, Argo Rollout, etc), setting up a SignadotRoute, a Kubernetes service and running any additional provisioning logic required per Sandbox.
| Resources | Permissions | Description |
|---|---|---|
| SignadotSandboxes SignadotRouteGroups Resources SignadotExternalWorkloads SignadotObjectLifecycleMethods SignadotRoutes ForkedWorkloads RoutingConfigs IstioRoutes | read / write | CRD objects created and managed by Signadot that contain declarative specifications of Sandboxes, Routes and Resources associated with them. |
| Deployments Replicasets Argo Rollouts Istio Virtualservices Jobs ConfigMaps Services | read / write | Used to create and manage workloads associated with Sandboxes. Note that resources not associated with a Sandbox are never modified by the controller-manager. |
| Signadot Mutating Webhook Configuration | read / write | Used to manage the Signadot mutating webhook that is used to dynamically inject DevMesh sidecars to enable request routing. |
IO Context Server
The IO Context Server component is responsible for storing and serving intermediate results produced by the execution of the creation and deletion steps of Resources.
| Resources | Permissions | Description |
|---|---|---|
| Secrets | read / write | The IO context server will read and write secrets within the signadot namespace |