Extending pipeline promotions token security documentation #3540
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
enekofb
commented
Mar 28, 2023
| the creation of roles that would allow access to the promotion credentials. | ||
|
|
||
| ```yaml | ||
| apiVersion: pac.weave.works/v2beta2 |
There was a problem hiding this comment.
- policy or policy config https://docs.gitops.weave.works/docs/0.18.0/policy/policy-configuration/
- policy that should target clusterrole and role
bigkevmcd
reviewed
Apr 18, 2023
| - name: verb | ||
| type: string | ||
| required: true | ||
| value: "get" # do the same for list and watch |
There was a problem hiding this comment.
Can we do a couple of things here?
- Put the full version of this for users so that they can copy and paste.
- Check what happens when someone uses
*for verbs
There was a problem hiding this comment.
Given policy library is enterprise feature, I cannot add it here.
|
Assumptions / Actions: Service Accounts
Extend RBAC
Extend Policy
|
enekofb
force-pushed
the
promotion-apps-access-review
branch
from
c203289
to
5553f3f
Compare
enekofb
commented
Jun 30, 2023
enekofb
commented
Jun 30, 2023
enekofb
force-pushed
the
promotion-apps-access-review
branch
2 times, most recently
from
784b0f1
to
e0b9341
Compare
enekofb
commented
Jul 4, 2023
enekofb
commented
Jul 4, 2023
enekofb
commented
Jul 4, 2023
enekofb
commented
Jul 4, 2023
enekofb
commented
Jul 4, 2023
enekofb
commented
Jul 4, 2023
enekofb
commented
Jul 4, 2023
enekofb
commented
Jul 4, 2023
enekofb
commented
Jul 4, 2023
enekofb
force-pushed
the
promotion-apps-access-review
branch
from
c7891ce
to
921e2e9
Compare
enekofb
force-pushed
the
promotion-apps-access-review
branch
from
921e2e9
to
af92de6
Compare
enekofb
commented
Jul 11, 2023
| apiVersion: kustomize.config.k8s.io/v1beta1 | ||
| kind: Kustomization | ||
| resources: | ||
| - policies/RBACProhibitWildcards/no-wildcard-on-resources-policy.yaml |
There was a problem hiding this comment.
@MostafaMegahid how should we contribute these policies to the policy library ?
There was a problem hiding this comment.
Today we synced on this topic. the suggested path would be to
- add these policies to policy library. An example of this could https://github.com/weaveworks/policy-library/tree/main/policies/RBACClusterRoleClusterAdmin
- create a rbac best practices kustomization including the previous policies
- reference this kustomization in the documentation
A user would only need to use this kustomization
cc @squaremo
There was a problem hiding this comment.
Draft PR for good practices within policy-library weaveworks/policy-library#31
There was a problem hiding this comment.
To review today with Mostafa
enekofb
force-pushed
the
promotion-apps-access-review
branch
from
dddf388
to
d7f6f6c
Compare
enekofb
commented
Jul 21, 2023
squaremo
reviewed
Jul 24, 2023
enekofb
force-pushed
the
promotion-apps-access-review
branch
from
dac27b9
to
8e86041
Compare
enekofb
commented
Jul 25, 2023
enekofb
commented
Jul 25, 2023
enekofb
commented
Jul 26, 2023
squaremo
approved these changes
Aug 3, 2023
This is Eneko and Michael going through together and refining some of the points.
…ore guidance to users.
… good practices and workload escalation.
Co-authored-by: Michael Bridgen <[email protected]>
Co-authored-by: Michael Bridgen <[email protected]>
Co-authored-by: Michael Bridgen <[email protected]>
Co-authored-by: Michael Bridgen <[email protected]>
Co-authored-by: Michael Bridgen <[email protected]>
… library by a customer.
enekofb
force-pushed
the
promotion-apps-access-review
branch
from
31d6e68
to
da28ee2
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Closes weaveworks/weave-gitops-enterprise#2564
What changed?
Extending existing guidance to include the ability to create deny semantics required for least privilege on access to the credentials token
Why was this change made?
Cause otherwise, pipeline controller would have access to the secret but nothing would have avoid that other roles has access to.
How was this change implemented?
Docs
How did you validate the change?
Tested locally
Release notes
Documentation Changes