Skip to content

fix: scope RBAC permissions and remove unused /dev/mem mount#424

Open
Flegma wants to merge 2 commits intomainfrom
audit/412-rbac-scoping
Open

fix: scope RBAC permissions and remove unused /dev/mem mount#424
Flegma wants to merge 2 commits intomainfrom
audit/412-rbac-scoping

Conversation

@Flegma
Copy link
Copy Markdown
Contributor

@Flegma Flegma commented Apr 2, 2026

Summary

API ClusterRole scoped down to only cluster-scoped resources:

  • Kept: nodes (get/list/patch for game server node labeling) and persistentvolumes (read-only)
  • Removed: PVCs, jobs, pods, deployments — moved to namespaced Role where they belong
  • PV permissions reduced from create/delete to read-only (PVs are created by storage class via PVCs)

API Role (namespaced to 5stack):

  • Added persistentvolumeclaims (full CRUD, moved from ClusterRole)
  • Added pods/log (get) and jobs/status (moved from ClusterRole)

DaemonSet:

  • Removed /dev/mem volume mount — confirmed not referenced anywhere in the connector source code. This was an unnecessary host memory access.

Test plan

  • API can still label nodes for game server assignment
  • API can create/manage PVCs for game servers within 5stack namespace
  • API can read pod logs and job statuses
  • Game server node connector starts correctly without /dev/mem mount
  • kustomize build succeeds

Closes #412

@Flegma
fix: scope RBAC permissions and remove unused /dev/mem mount
a2a7ae3 
API ClusterRole:
- Removed namespaced resources (PVCs, jobs, pods, deployments) — these
  are already in the namespaced Role or moved there
- Kept only cluster-scoped resources: nodes (patch for labeling) and
  PVs (read-only)
- PV permissions reduced from create/delete to read-only

API Role (namespaced):
- Added PVCs (moved from ClusterRole)
- Added pods/log and jobs/status (moved from ClusterRole)

DaemonSet:
- Removed /dev/mem volume mount — not referenced anywhere in
  connector source code, unnecessary host memory access

Closes #412
lukepolo
lukepolo reviewed Apr 2, 2026
View reviewed changes
base/game-server-node-connector/daemonset.yaml
- name: cpu-sys
mountPath: /host-cpu
readOnly: true
- name: mem-sys
Copy link
Copy Markdown
Contributor

@lukepolo lukepolo Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i cant remember why i had this in there....

@lukepolo
Copy link
Copy Markdown
Contributor

lukepolo commented Apr 2, 2026

overall good, we sure that mem-sys is not being used?

@Flegma
fix: add missing patch verb on deployments in Role
de02fc3 
patchNamespacedDeployment requires patch verb — was in the old
ClusterRole but not carried over to the namespaced Role.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lukepolo lukepolo lukepolo left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Infrastructure] Tighten RBAC cluster roles & DaemonSet security context

2 participants

@Flegma @lukepolo