APB's are unable to perform actions that require cluster scoped privileges #715
Comments
rthallisey
added
feature
3.10 | release-1.2
rthallisey
assigned rthallisey and unassigned jmrodri, eriknelson, karmab and shawn-hurley
|
@jmrodri @eriknelson @karmab @shawn-hurley What do folks think of that approach? |
This is not the case. In what we called a limited tenant environment where an admin wants� to escalate the permissions of the user to the sandbox_role. What do you think of adding logic to the broker, that when the sandbox_role is cluster_admin, we attempt to create a Alternatively, we can add dual configs here to make it very clear that an admin is granting this sandbox_role cluster-wide by having a config for type of role binding (clusterrole or role I think would be the options and default to role). |
|
As @shawn-hurley noted, If you want this as a way to make development easier, why not just have an extra step in your dev setup that just adds the cluster role binding? I do not see why it need to be turned into a first class option. |
Thanks for the correction. Maybe we can use the option |
We could, but I'm mainly trying to avoid adding another config option if possible. |
|
To follow up on this, I think we're going to use Karim's workaround which is to sign into cluster from the apb. Closing this issue. A proposal will follow at a later date to address this problem for production deployments. |
@rthallisey the link is broken. any tips how to create project in an apb? |
|
@tj13 When running an APB, the broker applies a In the past, folks have worked around this by passing credentials through to the APB similar to any other parameter, and logging in as that user as an initial task in the APB. I'd recommend some caution around this for a production case though, it's deliberately subverting the security model. |
eriknelson
changed the title
eriknelson
removed
the
3.10 | release-1.2
|
I'm reopening this to continue the discussion around APB's and their access to cluster scoped privileges. |
|
@rthallisey tks |
yes, it's by design. the workaround can solve the problem now |
|
Issues go stale after 90d of inactivity. Mark the issue as fresh by commenting If this issue is safe to close now please do so with /lifecycle stale |
openshift-ci-robot
added
the
lifecycle/stale
|
/close |
|
@jmrodri: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Feature:
Currently the broker does not allow an apb to have access to anything outside it's own namespace (defined as cluster resources). The goal of this feature is to provide developers the ability to give their apbs full access to the cluster without restrictions for testing purposes.
When we turn on auto_escalate, we no longer audit whether a user has permission to launch an apb with the sandbox_role. This allows the user full control over a namespace. I'm proposing that when auto_escalate is on, that we give a user full control over the cluster. Auto_escalate is not a production setting, so it won't affect security for anything other than developer environments where security is not a priority.
Another option would be to add an additional flag like
cluster_access, which would require we turn on bothcluster_accessandauto_escalateto give a apbs full access to the cluster.non-goal:
This feature is not meant to address the problem for production environments. I think production environments require the admin to have more oversight on what cluster level apbs are allowed to run. This will be addressed in the future.
The text was updated successfully, but these errors were encountered: