Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support a Namespace annotation indicating elevated privileges are ok for movers #365

Closed
Tracked by #363
JohnStrunk opened this issue Aug 11, 2022 · 2 comments · Fixed by #387
Closed
Tracked by #363

Support a Namespace annotation indicating elevated privileges are ok for movers #365

JohnStrunk opened this issue Aug 11, 2022 · 2 comments · Fixed by #387
Assignees
@tesshuflower
Labels
enhancement New feature or request

Comments

@JohnStrunk
Copy link
Member

JohnStrunk commented Aug 11, 2022
edited
Loading

Describe the feature you'd like to have.
The VolSync controller should look for a well-known annotation on the user's Namespace that would serve as an indicator that movers should be run with elevated privileges in that Namespace.

What is the value to the end user? (why is it a priority?)
Reducing the (default) permissions that are granted to movers enhances the security of the cluster by ensuring that movers (which run in the user's Namespace) only run w/ permissions that are equivalent to that of a normal user. Unfortunately, that will limit the ability of movers to preserve file metadata such as uid/gid and some attrs. It may also prevent reading (and replicating) some files. For this reason, it must be possible to securely signal that movers should be run w/ elevated privileges when these additional items need to be replicated.

By using an annotation on the Namespace, we ensure that an entity w/ elevated privileges has "ok-ed" the mover elevation.

How will we know we have a good solution? (acceptance criteria)

  • Document the annotation that VolSync will use and explain the implications of the enhanced privileges: more accurate replication, but potential for user privilege escalation.
  • The controllers should look for the annotation and make that information available as a flag via the mover interface (probably via the Builder)

Additional context
This item is just to provide the annotation to the interface. Changes to the behavior of movers will be handled separately.
@JohnStrunk JohnStrunk mentioned this issue Aug 11, 2022
Open
@JohnStrunk JohnStrunk changed the title Provide a well-known annotation that can be added to the user's Namespace that indicates movers should run there with elevated permissions Support a Namespace annotation indicating elevated privileged are ok for movers Aug 11, 2022
@JohnStrunk JohnStrunk changed the title Support a Namespace annotation indicating elevated privileged are ok for movers Support a Namespace annotation indicating elevated privileges are ok for movers Aug 11, 2022
This was referenced Aug 11, 2022
Closed
Closed
Closed
@JohnStrunk JohnStrunk added the enhancement New feature or request label Aug 11, 2022
@JohnStrunk JohnStrunk mentioned this issue Aug 11, 2022
Open
@JohnStrunk
Copy link
Member Author

Proposed Namespace annotation: volsync.backube/privileged-movers: true

@tesshuflower
Copy link
Contributor

/assign @tesshuflower

@tesshuflower tesshuflower mentioned this issue Aug 22, 2022
Merged
@JohnStrunk JohnStrunk mentioned this issue Aug 25, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tesshuflower tesshuflower

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Check for mover privilege annotation on ns and pass to movers tesshuflower/volsync
2 participants
@JohnStrunk @tesshuflower