Add Default RBAC for Non-Admins #1025
Conversation
openshift-ci
bot
added
the
release-note
SaschaSchwarze0
added
the
kind/feature
|
/approve +1 on @SaschaSchwarze0 's note about identifying in the docs ... feels like a new could also get into some detail about the rbac defined for the controllers, though I would not block merge if you did not want to take that on @adambkaplan |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: gabemontero The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
There was a problem hiding this comment.
@adambkaplan looks good. Any reasons you could think against enabling the get verb for the cluster-scope strategies?
My two thoughts:
- (abstraction): Users shouldn't need to take a look at them. Would like to keep them as much abstracted as possible. I think
listis good enough. - (security): Being able to see cluster-scope strategies might expose too much. Not sure if this applies in general, probably yes wherever there is a hard definition between users and strategy admins.
wdyt?
I think get and list should be fine. Security-wise, a strategy does not expose anything in addition to what users can see anyway in the generated TaskRun or Pod. The only thing you could hide is the existance. Not sure if there is a use case for this. Scenario-wise having access to the strategies is important for client applications. If you implement a UI that allows to create a Build, then it will want to prefil a strategy drop-down with the available strategies. Once a strategy is selected, a UI will also want to look at the strategy's parameter definitions to render a form for them. |
|
@SaschaSchwarze0 right good points. |
|
Tekton allows "view" users to get any TaskRun in their namespace, so I think this proves @SaschaSchwarze0's point that there is minimal security risk granting "get" permission to https://github.com/tektoncd/pipeline/blob/main/config/clusterrole-aggregate-view.yaml
I imagine UIs for k8s create their own rolebindings and service accounts, though they may inherit these user-facing "view" or "edit" roles. This is a reasonable user story IMO. |
adambkaplan
force-pushed
the
edit-user-rbac
branch
from
f4c5024
to
5754773
Compare
docs/configuration.md
Outdated
|
|
||
| - `shpwright-build-aggregate-view`: this role grants read access (get, list, watch) to most Shipwright Build objects. | ||
| This includes `BuildStrategy`, `ClusterBuildStrategy`, `Build`, and `BuildRun` objects. | ||
| This role is aggregated to the Kubernetes "view" role. |
There was a problem hiding this comment.
| This role is aggregated to the Kubernetes "view" role. | |
| This role is [aggregated to the Kubernetes "view" role](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#aggregated-clusterroles). |
There was a problem hiding this comment.
Thanks for the suggestion - I think the "Default user roles" section of that article may be a better fit:
https://kubernetes.io/docs/reference/access-authn-authz/rbac/#default-roles-and-role-bindings
- Add view aggregate role for inspecting Shipwright Build objects - Add edit aggregate role for managing Builds, BuildRuns, and BuildStrategies. - Ensure aggregated user roles are installed in e2e testing - Document the default cluster roles in the "configuration" markdown doc, with relevant links to upstream k8s docs.
adambkaplan
force-pushed
the
edit-user-rbac
branch
from
5754773
to
af24c9b
Compare
Changes
Fixes #1023
/kind feature
Submitter Checklist
See the contributor guide
for details on coding conventions, github and prow interactions, and the code review process.
Release Notes