Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security : move away from "cluster-admin" everywhere #72

Open
1 of 3 tasks
olevitt opened this issue Oct 24, 2020 · 0 comments
Open
1 of 3 tasks

Security : move away from "cluster-admin" everywhere #72

olevitt opened this issue Oct 24, 2020 · 0 comments
Labels
security Related to security

Comments

@olevitt
Copy link
Contributor

olevitt commented Oct 24, 2020
edited
Loading

Currently, Onyxia-api do everything (both kubectl and helm) using a single service account that is supposed to be cluster-admin.
Here are some improvements we could make :

  • Every regular kubectl and helm calls should be made using user's permissions
  • Onboarding (creating user's namespace, applying permissions ...) should be done using a separate service account and preferably done in another process / pod (externalize the onboarding process as a standalone API ?)
  • Try to reduce or at least refine and explicit permissions needed for the onboarding feature. Currently, it defaults to creating a cluster-admin service account which is probably too much
@olevitt olevitt added the security Related to security label Oct 24, 2020
@olevitt olevitt mentioned this issue Oct 25, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
security Related to security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@olevitt