Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Add RBAC Guidelines #2

Merged
merged 3 commits into from
Jun 18, 2020
Merged

Add RBAC Guidelines #2

merged 3 commits into from
Jun 18, 2020

Conversation

agrimmer
Copy link
Contributor

No description provided.

This was referenced Jun 12, 2020
Closed
Closed
Open
Open
Open
Closed
Open
Closed
Open
Open
Open
Open
Open
Closed
Closed
Closed
Open
Closed
Closed
Open
Open
@jetzlstorfer
Copy link
Member

Thanks for the PR!
Does that mean all existing keptn-sandbox projects would have to be updated once the RBAC rules are effective, e.g, with the next keptn release? Or is the access to API tokens (e.g., unleash or dynatrace) still working?

@agrimmer
Copy link
Contributor Author

The currently used default ServiceAcount will still be available, however, with a limited set of rights. If you for example access the API token using the k8s-API, a dedicated RBAC rule is required.

jetzlstorfer
jetzlstorfer reviewed Jun 15, 2020
View reviewed changes
README.md Outdated
* Prefer namespaced Roles and Rolebindings over ClusterRoles and ClusterRoleBindings

### Example:
Let's image, the service (deployment) `keptn-sample-service` needs read access for the secret "keptn-sample-secret".
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we need to clarify this sentence, e.g.,:
Let's imagine the Keptn service (which corresponds to a Kubernetes deployment and service) named keptn-sample-service requires read-access for a secret called keptn-sample-secret in the keptn namespace.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, addressed.

jetzlstorfer
jetzlstorfer requested changes Jun 15, 2020
View reviewed changes
Copy link
Member

@jetzlstorfer jetzlstorfer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should also add the changes that are necessary if no additional permissions are needed.

It would be helpful to have two scenarios:
Scenario 1: no additional permissions required --> what to change
Scenario 2: permissions to read a secret required --> what to change

jetzlstorfer
jetzlstorfer approved these changes Jun 18, 2020
View reviewed changes
Copy link
Member

@jetzlstorfer jetzlstorfer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@jetzlstorfer jetzlstorfer merged commit b3f9e7e into keptn-sandbox:master Jun 18, 2020
@christian-kreuzberger-dtx christian-kreuzberger-dtx mentioned this pull request Jun 25, 2020
Closed
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@jetzlstorfer jetzlstorfer jetzlstorfer approved these changes

@AloisReitbauer AloisReitbauer Awaiting requested review from AloisReitbauer AloisReitbauer is a code owner

@christian-kreuzberger-dtx christian-kreuzberger-dtx Awaiting requested review from christian-kreuzberger-dtx christian-kreuzberger-dtx is a code owner

@grabnerandi grabnerandi Awaiting requested review from grabnerandi grabnerandi is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@agrimmer @jetzlstorfer