-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add a new role.options
field called request_mode.kubernetes_resources
#47173
base: master
Are you sure you want to change the base?
Conversation
The PR changelog entry failed validation: Changelog entry not found in the PR body. Please add a "no-changelog" label to the PR, or changelog lines starting with |
role.options
field called request_mode.kubernetes_resources
@@ -2664,6 +2666,13 @@ message AccessCapabilitiesRequest { | |||
bool FilterRequestableRolesByResource = 6 [(gogoproto.jsontag) = "filter_requestable_roles_by_resource,omitempty"]; | |||
} | |||
|
|||
message AccessRequestMode { | |||
repeated KubernetesResource KubernetesResources = 1 [ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we use a dedicated type for this setting?
Reusing the KubernetesResource
gives confusion because you can set a lot of data that isn't allowed
ae41067
to
b03a2f3
Compare
945322f
to
70ecfbb
Compare
friendly ping @tigrato @nklaassen |
70ecfbb
to
352dbb1
Compare
352dbb1
to
ec9b6a8
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you please add unmarshal from/to yaml of roles with this section defined?
@@ -2639,6 +2639,8 @@ message AccessCapabilities { | |||
// AutoRequest indicates whether the request strategy indicates that a | |||
// request should be automatically generated on login. | |||
bool AutoRequest = 6 [(gogoproto.jsontag) = "auto_request,omitempty"]; | |||
// RequestMode defines what resource kinds a user can request for applicable resources. | |||
AccessRequestMode RequestMode = 7 [(gogoproto.jsontag) = "request_mode,omitempty"]; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
AccessRequestMode RequestMode = 7 [(gogoproto.jsontag) = "request_mode,omitempty"]; | |
AccessRequestMode request_mode = 7 [(gogoproto.jsontag) = "request_mode,omitempty"]; |
Recently we started adopting the camel case for new fields
// Modeled after existing message KubernetesResource. | ||
message RequestModeKubernetesResource { | ||
// Kind specifies the Kubernetes Resource type. | ||
string Kind = 1 [(gogoproto.jsontag) = "kind,omitempty"]; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
string Kind = 1 [(gogoproto.jsontag) = "kind,omitempty"]; | |
string kind = 1 [(gogoproto.jsontag) = "kind,omitempty"]; |
@@ -3295,7 +3322,6 @@ message DatabasePermission { | |||
// KubernetesResource is the Kubernetes resource identifier. | |||
message KubernetesResource { | |||
// Kind specifies the Kubernetes Resource type. | |||
// At the moment only "pod" is supported. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
😃
lib/services/access_request.go
Outdated
|
||
// Validate kube request kinds. | ||
// If request mode is defined, then any request for kube_cluster will be rejected. | ||
isResourceRequest := len(req.GetRequestedResourceIDs()) > 0 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
what happens if multiple roles back this access request?
Should we return an error only if none of them support the kind. If role doesn't support the kind Y, we won't use for access to resources of Kind Y
4892231
to
f987020
Compare
i made a few adjustments based on review: the request mode found on the same role as the search as roles will be enforced:
|
f987020
to
7988cc6
Compare
449ca3d
to
415537c
Compare
415537c
to
7f0453e
Compare
part of #46742
rfd: #46691
Defines a new
role.options
field calledrequest_mode
.For now it holds a field
kubernetes_resources
that follows same format as existing allow.kubernetes_resources, except the only field we support in the options field isKind
(defining other fields will reject the role upserting actions).The
Kind
allows admins to define what kube subresources a user can request during request creation and disallow requesting request forkube_cluster
. It allows thewildcard
to mean allow request to any kube subresources.If
role.options.request_mode
is not defined, or length 0, it means a user can request forkube_cluster
or any of its subresources.example, if requester role says:
requesting kind
kube_cluster
is denied:requesting kind
pod
is denied:requesting kind
namespace
is allowed:wildcard example output:
changelog: Define a new
role.options
field calledrequest_mode.kubernetes_resources
that allows admins to define what kinds of Kubernetes resources a requester can make.