-
Notifications
You must be signed in to change notification settings - Fork 153
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Extending pipeline promotions token security documentation #3540
Conversation
the creation of roles that would allow access to the promotion credentials. | ||
|
||
```yaml | ||
apiVersion: pac.weave.works/v2beta2 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- policy or policy config https://docs.gitops.weave.works/docs/0.18.0/policy/policy-configuration/
- policy that should target clusterrole and role
- name: verb | ||
type: string | ||
required: true | ||
value: "get" # do the same for list and watch |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we do a couple of things here?
- Put the full version of this for users so that they can copy and paste.
- Check what happens when someone uses
*
for verbs
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Given policy library is enterprise feature, I cannot add it here.
Assumptions / Actions: Service Accounts
Extend RBAC
Extend Policy
|
c203289
to
5553f3f
Compare
784b0f1
to
e0b9341
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
comments added from session with Michael and Kevin
c7891ce
to
921e2e9
Compare
921e2e9
to
af92de6
Compare
apiVersion: kustomize.config.k8s.io/v1beta1 | ||
kind: Kustomization | ||
resources: | ||
- policies/RBACProhibitWildcards/no-wildcard-on-resources-policy.yaml |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@MostafaMegahid how should we contribute these policies to the policy library ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Today we synced on this topic. the suggested path would be to
- add these policies to policy library. An example of this could https://github.com/weaveworks/policy-library/tree/main/policies/RBACClusterRoleClusterAdmin
- create a rbac best practices kustomization including the previous policies
- reference this kustomization in the documentation
A user would only need to use this kustomization
cc @squaremo
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Draft PR for good practices within policy-library weaveworks/policy-library#31
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To review today with Mostafa
dddf388
to
d7f6f6c
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just edits as suggestions, this time. Once we have nailed down how to use the policy library, I think we're good to go.
dac27b9
to
8e86041
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thorough work Eneko, thank you so much for following this through. What a journey :-)
This is Eneko and Michael going through together and refining some of the points.
…ore guidance to users.
… good practices and workload escalation.
Co-authored-by: Michael Bridgen <[email protected]>
Co-authored-by: Michael Bridgen <[email protected]>
Co-authored-by: Michael Bridgen <[email protected]>
Co-authored-by: Michael Bridgen <[email protected]>
Co-authored-by: Michael Bridgen <[email protected]>
… library by a customer.
31d6e68
to
da28ee2
Compare
Closes weaveworks/weave-gitops-enterprise#2564
What changed?
Extending existing guidance to include the ability to create deny semantics required for least privilege on access to the credentials token
Why was this change made?
Cause otherwise, pipeline controller would have access to the secret but nothing would have avoid that other roles has access to.
How was this change implemented?
Docs
How did you validate the change?
Tested locally
Release notes
Documentation Changes