Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Restrict access to Rafter, Tekton and Knative Serving resources #7461

Merged
merged 5 commits into from Mar 7, 2020
Merged

Restrict access to Rafter, Tekton and Knative Serving resources #7461

merged 5 commits into from Mar 7, 2020

Conversation

hudymi
Copy link
Contributor

@hudymi hudymi commented Mar 4, 2020

Description

Changes proposed in this pull request:

  • Readonly access to Rafter Resources
  • No access to Tekton resources
  • No access to Knative Serving resources

Related issue(s)

@hudymi hudymi added area/serverless Issues or PRs related to serverless area/security Issues or PRs related to security area/core-and-supporting Issues or PRs related to core and supporting labels Mar 4, 2020
@netlify
Copy link

netlify bot commented Mar 4, 2020

🥰 Documentation preview ready! 🥰

Built with commit cba1ce2

https://deploy-preview-7461--kyma-project-docs-preview.netlify.com

@hudymi hudymi requested a review from a team as a code owner March 4, 2020 19:12
@hudymi hudymi added the security/medium Related to CVSSv3 security rating https://www.first.org/cvss/calculator/3.0 label Mar 4, 2020
piotrmsc
piotrmsc reviewed Mar 5, 2020
View reviewed changes
tests/integration/cluster-users/sar-test.sh
@@ -232,6 +309,8 @@ function runTests() {
echo "--> ${ADMIN_EMAIL} should be able to patch Installation CR in ${NAMESPACE}"
testPermissions "patch" "installation" "${NAMESPACE}" "yes"

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

TBH this testRafter function should also contain expected authZ result because IMO admin should have access to CRUD operations on rafter resources. Currently, it's hardcoded for all type of users

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We want to prevent the creation/update/deletion of any resources by all type of users. Only person who has access to kubeconfig from cluster can create resources.

@hudymi hudymi merged commit 910d0bf into kyma-project:master Mar 7, 2020
@hudymi hudymi deleted the restrict-access branch March 7, 2020 12:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@magicmatatjahu magicmatatjahu magicmatatjahu left review comments

@piotrmsc piotrmsc piotrmsc approved these changes

@Demonsthere Demonsthere Awaiting requested review from Demonsthere

@jakkab jakkab Awaiting requested review from jakkab

@kubadz kubadz Awaiting requested review from kubadz

@strekm strekm Awaiting requested review from strekm

@Tomasz-Smelcerz-SAP Tomasz-Smelcerz-SAP Awaiting requested review from Tomasz-Smelcerz-SAP

Assignees
No one assigned
Labels
area/core-and-supporting Issues or PRs related to core and supporting area/security Issues or PRs related to security area/serverless Issues or PRs related to serverless security/medium Related to CVSSv3 security rating https://www.first.org/cvss/calculator/3.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@hudymi @piotrmsc @magicmatatjahu