Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow work agent to be run on different identity #124

Closed
4 tasks
qiujian16 opened this issue Mar 28, 2022 · 6 comments
Closed
4 tasks

Allow work agent to be run on different identity #124

qiujian16 opened this issue Mar 28, 2022 · 6 comments
Assignees
@yue9944882 @zhujian7
Labels
kind/feature
Milestone
v0.8.0

Comments

@qiujian16
Copy link
Member

qiujian16 commented Mar 28, 2022
edited
Loading

Currently work agent is run as an admin on the spoke. We should consider let user to define another identity in the manifestwork, so a manifestwork can be executed on the spoke with lower privilege.

  • check the executor subject permission for action apply
  • check the executor subject permission for action delete
  • cache the subject access review results
  • add a webhook to check the execute-as permission on the hub cluster
@qiujian16
Copy link
Member Author

/assign @yue9944882

@qiujian16
Copy link
Member Author

/kind feature

@qiujian16 qiujian16 added this to the v0.8.0 milestone Mar 28, 2022
@zhujian7 zhujian7 mentioned this issue Sep 5, 2022
Merged
@zhujian7
Copy link
Member

zhujian7 commented Sep 5, 2022
edited
Loading

I'd like to work on this

proposal link: https://github.com/open-cluster-management-io/enhancements/tree/main/enhancements/sig-architecture/34-work-executor-group

@qiujian16
Copy link
Member Author

/assign @zhujian7

This was referenced Sep 6, 2022
Closed
Closed
Closed
Closed
@zhujian7
Copy link
Member

/close

@openshift-ci openshift-ci bot closed this as completed Jan 10, 2023
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Jan 10, 2023

@zhujian7: Closing this issue.

In response to this:

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@yue9944882 yue9944882

@zhujian7 zhujian7

Labels
kind/feature
Projects
OCM releases
Status: Done
Milestone
v0.8.0
Development

No branches or pull requests
3 participants
@qiujian16 @yue9944882 @zhujian7