-
Notifications
You must be signed in to change notification settings - Fork 415
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
remove interceptor cross namespace secret references; adjust controller permission accordingly #748
remove interceptor cross namespace secret references; adjust controller permission accordingly #748
Conversation
The following is the coverage report on the affected files.
|
65bb217
to
4491bf9
Compare
The following is the coverage report on the affected files.
|
OK @dibyom @wlynch @khrm the tests are clean and I have the release note ready. I did not find any doc references to the SecretRef Namespace field. But double check my greps, etc. with any recollections you all have. Two questions:
thanks @skaegi FYI ... access to secrets is reduced to the pipeline namespace with this PR |
All of those sound like good ideas. I think a slack message in #general or #triggers and maybe a mail to the tekton-dev group? Maybe we can also point it out in the next Tekton WG meeting.
I'm happy to take a look at it. |
/assign @dibyom thanks :-) |
4491bf9
to
f4b8bd6
Compare
The following is the coverage report on the affected files.
|
@@ -21,7 +21,7 @@ metadata: | |||
app.kubernetes.io/part-of: tekton-triggers | |||
rules: | |||
- apiGroups: [""] | |||
resources: ["configmaps", "secrets", "services", "events"] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🎉
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hmmm, so why does the EL reconciler need access to secrets in the first place 🤔 ? As far as I know, only the EL sink's SA should need access to secrets.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oooh ... interesting @dibyom
I think you are right. Ultimately it is the interceptors called within the sink that are getting the secret token for the git*/bitbucket/etc. verification that we have de-scoped to be local namespace only.
And I see no other use of the k8s secret client.
So that would imply not even creating the new 200-role.yaml and 201-rolebinding.yaml files I have currently in the PR, and instead updating the event listener / sink related yaml under the examples folder, right?
On the plus side, being this much of a newbie path makes me feel young :-)
I'll work on some changes tomorrow / Friday and we'll see how the PR tests fair.
thanks
The following is the coverage report on the affected files.
|
integrations tests still pass, but I'm not sure they run the examples will look into it Friday and run manually at least if needed |
OK I see the https://github.com/tektoncd/triggers/blob/master/test/e2e-tests-yaml.sh that is analogous to what I've seen in tektoncd/pipelines, but I can't find evidence in the integration-tests run or build-tests run where it is utilized Does that sound right to your @dibyom ? In any event, I ran through the instructions at https://github.com/tektoncd/triggers/tree/master/examples manually with this branch deployed and it functioned correctly. Let me know on about the testing and rest of the code changes @dibyom thanks |
Thanks @gabemontero |
Messages have been posted to the two slack channels and the tekton users group. |
OK, back from PTO. Looks like I have to rebase this PR, but beforehand, @dibyom - your thoughts on the feedback from the public announcements. If I recall correctly, there was only a minor exchange with you and @afrittoli I do not think anything concerning stemmed from it, but I'll admit I do not fully recall. Thoughts gentlemen ? |
Hope you had a nice break @gabemontero 🏖️ I've heard any concerning feedback, so I'm ok merging this once it is rebased! |
02f442f
to
fbdd77e
Compare
thanks @dibyom !
rebase pushed |
The following is the coverage report on the affected files.
|
/approve |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: dibyom The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Changes
Per recent discussions in the WG, the ability for interceptors to access secrets in other namespaces
appears to be an unintended feature, where we know of no use of it at this time.
Aside from the security implications with the controller accessing secrets from any namespace, eliminating this ability aids the multi-tenant eventlistener migration, as that design scopes the interceptor along with the trigger to within a namespace only.
Submitter Checklist
These are the criteria that every PR should meet, please check them off as you
review them:
See the contribution guide for more details.
Release Notes