-
Notifications
You must be signed in to change notification settings - Fork 142
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
simplify PromotionPolicies and validating webhook for Promotions #450
Conversation
Signed-off-by: Kent <kent.rancourt@gmail.com>
Signed-off-by: Kent <kent.rancourt@gmail.com>
Signed-off-by: Kent <kent.rancourt@gmail.com>
Signed-off-by: Kent <kent.rancourt@gmail.com>
✅ Deploy Preview for docs-kargo-akuity-io canceled.
|
Codecov Report
@@ Coverage Diff @@
## main #450 +/- ##
==========================================
- Coverage 52.22% 51.04% -1.18%
==========================================
Files 46 46
Lines 4366 4194 -172
==========================================
- Hits 2280 2141 -139
+ Misses 1993 1960 -33
Partials 93 93
|
Signed-off-by: Kent <kent.rancourt@gmail.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good one small comment, I think we can take that up in a different PR if a change is required.
if subjectIsServiceAccount && | ||
serviceAccountNamespace == "kube-system" && | ||
serviceAccountName == "namespace-controller" { | ||
if req.UserInfo.Username == "system:serviceaccount:kube-system:namespace-controller" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this needed?
This PR transitions us to using pure RBAC to determine who may promote to a given
Environment
.Previously, this was based on
PromotionPolicy
resources and custom authorization logic in the validating webhook forPromotion
resources. The webhook would evaluate policies and determine whether the subject in question was permitted to create aPromotion
for theEnvironment
it references.The
PromotionPolicy
type largely goes away now (but not entirely -- more on this in a moment). The webhook replaces its old logic with aSubjectAccessReview
request.The following
Role
demonstrates how this works. Anyone bound to it may promote toEnvironment
s "test" and "stage" in thedemo
namespace, but may not promote toEnvironment
prod
.Also note the use of a custom verb --
promote
. Custom verbs for RBAC are explained nicely here.After this PR, the role of
PromotionPolicy
is reduced to only specifying whether auto-promotion is permitted or not. A future PR may rename it toAutoPromotionPolicy
.Note to any contributors who use steps in the quickstart to validate changes they are working on: This PR breaks the docs for you, but the docs are still correct for the latest releases.
I will fix the docs in a follow-up PR after these changes make it into a release.
cc @gdsoumya and @jessesuen (Thanks for the assistance on this, Jesse.)