-
Notifications
You must be signed in to change notification settings - Fork 96
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Action, Green Reviews WG] Define access control management process for Green Reviews infra #220
Comments
@RobertKielty can this be part of CLOwarden? or do we need to manage infra access via equinix console / api "manually" |
CLOWarden is used to govern access to just GitHub repos at the moment. I like the way you're thinking though! Long term, the vision is to create plugins to have CLOWarden control access to multiple services. We're not there yet though. |
Hey @Callisto13 (who does awesome stuff in general & currently at Equinix)! We got access to an Equinix project. Our immediate next step is to start provisioning a Kubernetes cluster using Cluster API. We're looking at potentially using the Equinix Metal Cluster API provider (CAPEM). The configuration will live in this tooling repo: https://github.com/cncf-tags/green-reviews-tooling Adding you to this thread to ask if you have any Equinix CAPI pro tips, Equinix auth suggestions, Equinix dev advocate contacts, awesome tooling suggestions in general and/or any other pointers! |
👋 hey @nikimanoledaki I'm afraid I don't have any hot tips for CAPEM, but it looks about the same as any other CAPI provider 😄 . As for Auth to your hardware, I am guessing y'all have a project under the CNCF org? That would give you 2 access options:
Neither of these have expiry options, so you'd have to manage when to revoke access. Or write some code around adding and automatically removing people, which should be fairly trivial. (A third way would be to create the machines you know you want to use and have a nice automated way of adding people's SSH keys, that way they would not need an Equinix account. This is assuming you either keep public IPs on the devices or have a VPN or tunnel etc. This would limit them to the servers only and gives you slightly more granular access for people who don't need any more than that.) Lmk if you have any hardware questions 😀 |
Thank you @Callisto13 for outlining our auth options! 🎉 The 2 WG co-chairs (@guidemetothemoon and I) as well as 2 TAG leads (@mkorbi & @leonardpahlke) were added by the CNCF folks to the dedicated project for the TAG Environmental Sustainability (this is a manual process that we don't have control over so we're trying to limit doing this). This means 4 of us currently have (option 1) full console access for now - unsure if/how we would extend access. Perhaps we could create new roles (e.g. With regard to the hardware, the first CNCF Project that we will test is Falco, which is a security- and eBPF-based tooling. We will be using Kepler, which is also eBPF-based, so we have a few kernel-level requirements. We're starting with the Falco requirements outlined here. If you have any pointers for getting started on which hardware to provision and how to do so given these requirements, we would be very grateful! |
Do we really need to grant other access to Equinix setup? Perhaps read access for some logs. If we define the deployment infra in the repo (with OpenTofu or similar 😉) and deploy via CI/CD - anyone can propose config changes, we just need to review and approve the PRs. |
Update - here is the process that we are using at the moment:
This has helped to unblock individual contributors with manual testing. We will update this once we have consensus on the IaC component and start implementing it. |
UpdateThis issue is mostly completed and documented in the draft of the design doc here.
We should revoke access when offboarding a TAG lead - not sure if offboarding is documented since the TAG is still relatively new and we haven't gone through that process yet but just something to keep in mind! cc TAG Chairs @leonardpahlke @catblade @mkorbi Adding the API key as a secret to the green-reviews-tooling repository is tracked in this POC: cncf-tags/green-reviews-tooling#6 We can keep this issue open while we still work on the draft. |
Closing this issue since we're tracking specific access-related issues in the WG repo https://github.com/cncf-tags/green-reviews-tooling |
Description
Now that Green Reviews WG has got access to the dedicated infrastructure on Equinix we need to establish a process to give access to this infrastructure to those who need it. Once the process it outlined we can put it in writing.
For now we can have a dedicated section for this in the CNCF TAG ENV – WG Green Reviews Design Document
Input
Need input on the questions provided above so that we can define the process in writing.
Outcome
Formally defined process for access control management and requesting access to the Green Reviews WG infrastructure.
The text was updated successfully, but these errors were encountered: