Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Inject Token with Maintainer Access into Task Pods #1229

Schnitzel opened this issue Sep 6, 2019 · 0 comments · May be fixed by #1260


Copy link

commented Sep 6, 2019

We're running into an issue with the Task Pods not having enough permissions, the situation is this:

  1. User with Developer Role creates a Task to sync production to development environment
  2. Lagoon creates a Task Pod within development environment which wants to ssh into production environment
    Problem is that the Task Pod is running with the guest role which cannot access the production environment and therefore fails.

We could solve this with giving the guest role ssh access to the production environment, but this is not the idea of RBAC.
We could also create a new role for the default-user and give that role ssh production access, the problem is that this role will also be used by the CLI pod and there is the risk that somebody with just development access has access to the CLI pod and "steals" the credentials of the CLI pod and can access the production environment.

Therefore our current idea to solve this would be:
When Lagoon creates the Task Pod it also gets a JWT Token from the API which has maintainer role access and is valid only for a couple of minutes. This JWT is then used by the Task Pod to authenticate itself against the SSH Service (instead of the SSH Key) and gets access to the production environment.

I think these are the needed tasks:

  • Update the SSH Service so that a client has the capability to pass a specific JWT token into the Remote Shell connection which is then used to check if the user has access to an environment or not (
  • Update the Task Pod Creator of Lagoon to get a JWT Token from the API with Maintainer permission and inject it into the Task Pod (The pod will then use it to get access to the production environment)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
2 participants
You can’t perform that action at this time.