Skip to content
This repository has been archived by the owner on Apr 18, 2024. It is now read-only.

BreakGlass CRD #24

Open
moshloop opened this issue May 13, 2020 · 0 comments
Open

BreakGlass CRD #24

moshloop opened this issue May 13, 2020 · 0 comments

Comments

@moshloop
Copy link
Member

moshloop commented May 13, 2020
edited

Allow an end-user to request elevated permissions for a specific time period -

  • Support 2-man rule
  • Notification channels
  • Validate ticket etc...

By creating a BreakGlass resource we can elevate permissions for a pre-determined time period.

apiVersion: platform.flanksource.com/v1
kind: BreakGlass
spec:
    namespace: # where to apply the permissions to
  # or
    cluster: true
# in dev we log a jira ticket and wait for approval before granting permissions
apiVersion: platform.flanksource.com/v1
kind: BreakGlassTemplate
spec:
     # optonal labels on the namespace to match 
     matchLabels:
           environment: production
     subjects: [] # list of users who can break glass,
     roleRef: admin # role to apply when breaking glass
     defaultDuration: 120m    
     maxDuration: 480m3
     waitForApproval: true
     hooks: 
       - slack
       - jira:
         project:
         assignee:
         priority:

Standard RBAC must still be applied to allow these users to create the BreakGlass objects, but without a matching template, the break glass attempt fails

# in dev environments, we don't wait for approval or log a jira ticket
apiVersion: platform.flanksource.com/v1
kind: BreakGlassTemplate
spec:
     match:
           environment: dev
     roleRef: admin # role to apply when breaking glass
     defaultDuration: 480m    
     waitForApproval: false 
     hooks: 
       - slack:
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@moshloop