Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RBAC for script editing and scratchpad #1320

Closed
MrAta opened this issue May 9, 2023 · 1 comment
Closed

RBAC for script editing and scratchpad #1320

MrAta opened this issue May 9, 2023 · 1 comment

Comments

@MrAta
Copy link
Contributor

MrAta commented May 9, 2023
edited

Is your feature request related to a problem? Please describe.
Given that Pixie's scratchpad and script edit capability allows all the users to run arbitrary ebpf code, it can be considered as a security vulnerability specially in multi-tenant clusters.

Describe the solution you'd like
An ideal solution would be an RBAC mechanism where by default users access is restricted to only run existing scripts. They are given scratchpad/edit access only when the Admin(s) have enabled it for them through RBAC.

Describe alternatives you've considered
An alternative that mitigates the surfaces (but not completely) is to use Pixie on-demand. That is, we deploy Pixie on a single node, and only add nodes to the set of instrumented nodes if we want to profile the Pods/services scheduled on those nodes. The nodes get removed once the profiling task is done.

Additional context
N/A
@MrAta
Copy link
Contributor Author

MrAta commented May 15, 2023

Closing as duplicate #1321

@MrAta MrAta closed this as completed May 15, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@MrAta