Skip to content

Fix networkplugin cert renewal RBAC#1507

Merged
friegger merged 1 commit into
mainfrom
fix/networkplugin-cert-renewal-rbac
Jul 8, 2026
Merged

Fix networkplugin cert renewal RBAC#1507
friegger merged 1 commit into
mainfrom
fix/networkplugin-cert-renewal-rbac

Conversation

@friegger

@friegger friegger commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Fixes #1508

Summary by CodeRabbit

  • Bug Fixes
    • Expanded network plugin permissions to support creating and retrieving certificate signing requests.
    • Enabled the client certificate renewal flow to proceed successfully, improving reliability of certificate-related operations.

@friegger friegger requested a review from a team July 7, 2026 16:25
@github-actions github-actions Bot added size/S bug Something isn't working labels Jul 7, 2026
@coderabbitai

coderabbitai Bot commented Jul 7, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

Added RBAC rules to the networking.ironcore.dev:system:networkplugins ClusterRole for certificate signing requests, including certificatesigningrequests and the certificatesigningrequests/networkpluginclient subresource, with comments about the renewal flow.

Changes

Network Plugin RBAC Update

Layer / File(s) Summary
Add CSR RBAC rules
config/apiserver/rbac/networkplugin_role.yaml
New rules grant certificates.k8s.io permissions for certificatesigningrequests (create/get/list/watch) and certificatesigningrequests/networkpluginclient (create), with inline comments describing the SubjectAccessReview behavior for client-certificate renewal.

Estimated code review effort: 1 (Trivial) | ~3 minutes

Possibly related PRs

  • ironcore-dev/ironcore#1465: Modifies the same networking.ironcore.dev:system:networkplugins ClusterRole in config/apiserver/rbac/networkplugin_role.yaml, affecting the same RBAC rules.
🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Description check ⚠️ Warning No pull request description was provided, so the required template sections are missing. Add the Proposed Changes bullets and a Fixes # reference, using the repository's description template.
✅ Passed checks (4 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Title check ✅ Passed The title clearly matches the main change: updating networkplugin RBAC for certificate renewal permissions.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/networkplugin-cert-renewal-rbac

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@friegger friegger force-pushed the fix/networkplugin-cert-renewal-rbac branch from 95a1f35 to 0cfe8b7 Compare July 8, 2026 06:58
The network plugin ClusterRole only granted access to core.apinet.ironcore.dev
networkinterfaces. The corresponding *-bootstrapper role, which grants
create on certificatesigningrequests and certificatesigningrequests/networkpluginclient,
is bound only to the bootstrap token group (system:bootstrappers:networking-ironcore-dev:networkplugins).
As a result, initial bootstrap worked, but once a plugin had switched from its
bootstrap kubeconfig to its issued client cert (user
networking.ironcore.dev:system:networkplugin:<name>, group
networking.ironcore.dev:system:networkplugins), any attempt to rotate its
certificate failed with:

  certificatesigningrequests.certificates.k8s.io is forbidden:
  User "networking.ironcore.dev:system:networkplugin:<name>" cannot create
  resource "certificatesigningrequests" in API group "certificates.k8s.io"
  at the cluster scope

Grant the same CSR create + networkpluginclient subresource permissions on the
non-bootstrapper role so plugins can self-renew, mirroring how the machinepool,
volumepool, and bucketpool roles are structured. The
NetworkPluginRecognizer auto-approver in
internal/controllers/core/certificate/networking/networkplugin.go already gates
approval on a SubjectAccessReview against the networkpluginclient subresource,
so renewal CSRs remain scoped to legitimate plugin identities.

Signed-off-by: Felix Riegger <felix.riegger@sap.com>
@friegger friegger force-pushed the fix/networkplugin-cert-renewal-rbac branch from 0cfe8b7 to 7152811 Compare July 8, 2026 07:02
@friegger friegger merged commit 28effbb into main Jul 8, 2026
12 checks passed
@friegger friegger deleted the fix/networkplugin-cert-renewal-rbac branch July 8, 2026 12:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

bug Something isn't working size/S

Projects

None yet

Development

Successfully merging this pull request may close these issues.

libvirt-provider's network plugin cannot rotate its certificate

2 participants