Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ensure postgresclusters are available to admin/edit/view clusterroles #49

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Ensure postgresclusters are available to admin/edit/view clusterroles #49

wants to merge 1 commit into from

Conversation

sathieu
Copy link
Contributor

@sathieu sathieu commented Nov 15, 2021
edited by jkatz

@jkatz
Copy link
Contributor

jkatz commented Nov 15, 2021

@sathieu The commit message is fairly sparse. What is the rationale for this change?

Similarly, I believe if we included this, we'd have to do so on the kustomize based installer too.

@sathieu
Copy link
Contributor Author

sathieu commented Dec 1, 2021
edited

@jkatz, I've added the kustomize part. I've not tested this part.

I've also added a createAggregateRoles value to the helm chart, defaulting to true.

You can see more info on aggregated roles by following the included links. My usecase is to allow a user having the admin role in a namespace to be able to create a postgresql cluster. This user already has permission to create deployement, pods, ... in the namespace so this is not a privilege escalation.

@sathieu
Copy link
Contributor Author

sathieu commented Jan 4, 2022

@jkatz Happy new year 🎉! Anything I can do to move this PR forward?

@jkatz
Copy link
Contributor

jkatz commented Jan 4, 2022

@sathieu Happy New Year! 🎉 Let me discuss with a few folks around what makes sense.

@sathieu
Copy link
Contributor Author

sathieu commented Feb 2, 2022

@jkatz I've rebased (and resolved a conflict). ANything I can do to move this forward?

@sathieu
Copy link
Contributor Author

sathieu commented Apr 29, 2022

@jkatz Please review (I've rebased).

IMO it makes sense to allow users with acces to a namespace to have the same access to PGO resources.

Quoting from doc:

[The edit cluster role] Allows read/write access to most objects in a namespace.

This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets and running Pods as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace. This role also does not allow write access to Endpoints in clusters created using Kubernetes v1.22+. More information is available in the "Write Access for Endpoints" section.

[The view cluster role] Allows read-only access to see most objects in a namespace. It does not allow viewing roles or role bindings.

This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@sathieu @jkatz