Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SRE can temporarily elevate permissions to cluster-admin #67

Merged
merged 3 commits into from Aug 6, 2019

Conversation

@jewzaam
Copy link
Member

commented Aug 6, 2019

https://jira.coreos.com/browse/SREP-1805

Added:

  • Group: osd-sre-cluster-admins
  • ClusterRoleBinding for the group to existing ClusterRole cluster-admin

As noted in README, SRE can add themselves to the osd-sre-cluster-admins group to temporarily get elevated access.

@jewzaam

This comment has been minimized.

Copy link
Member Author

commented Aug 6, 2019

/hold

SRE can temporarily elevate permissions to cluster-admin
https://jira.coreos.com/browse/SREP-1805

Added:
- Group: osd-sre-cluster-admins
- ClusterRoleBinding for the group to existing ClusterRole cluster-admin

As noted in README, SRE can add themselves to the `osd-sre-cluster-admins` group to temporarily get elevated access.

@jewzaam jewzaam force-pushed the jewzaam:srep-1805 branch from 20a11dd to ff58f65 Aug 6, 2019

@lisa
Copy link
Contributor

left a comment

Relatively minor editing for clarity.

Overall, what is the chance that Hive will blow away my privilege escalation in the middle of maintenance once the cache expires?

Show resolved Hide resolved README.md Outdated
Show resolved Hide resolved README.md Outdated

jewzaam and others added some commits Aug 6, 2019

Update README.md
Co-Authored-By: Lisa Seelye <18159+lisa@users.noreply.github.com>
Update README.md
Co-Authored-By: Lisa Seelye <18159+lisa@users.noreply.github.com>
@jewzaam

This comment has been minimized.

Copy link
Member Author

commented Aug 6, 2019

Relatively minor editing for clarity.

Overall, what is the chance that Hive will blow away my privilege escalation in the middle of maintenance once the cache expires?

Well, all depends on when the cache expires on hive. Linked story has this comment: One possible downside is Hive could reconcile very soon after the update, rbac could be reverted while SRE is doing things. But my theory is if SRE needs to do a lot of things as cluster-admin there's something big that is wrong and either it shouldn't be done as a one-off, it should be fixed upstream, or if really necessary the kubeadmin creds could be accessed. More likely SRE just re-adds to the group and keeps going?

@jewzaam

This comment has been minimized.

Copy link
Member Author

commented Aug 6, 2019

/hold cancel

@lisa

lisa approved these changes Aug 6, 2019

@lisa

This comment has been minimized.

Copy link
Contributor

commented Aug 6, 2019

/lgtm

I feel like this is a good stopgap even with the potential to reconcile permissions away mid-operation.

@openshift-ci-robot

This comment has been minimized.

Copy link

commented Aug 6, 2019

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jewzaam, lisa

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@jewzaam jewzaam merged commit 2527617 into openshift:master Aug 6, 2019

2 of 3 checks passed

tide Not mergeable. Merging to branch master is forbidden.
Details
ci.ext.devshift.net PR build
Details
ci/prow/images Job succeeded.
Details
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
4 participants
You can’t perform that action at this time.