Uploaded image for project: 'Service Binding'
  1. Service Binding
  2. APPSVC-1309

ClusterEnvironment check over-permission

XMLWordPrintable

    • Icon: Story Story
    • Resolution: Done
    • Icon: Minor Minor
    • Primaza 0.1
    • None
    • Service Binding
    • None
    • AppSvc Sprint 238, AppSvc Sprint 239, AppSvc Sprint 240, AppSvc Sprint 241

      Owner: Architect:

      Francesco Ilario

      Story (Required)

      As a Primaza Administrator, I would like Primaza to check if permission it is provided with are more than it requires so that I can reduce the permissions provided and enhance security

      Background (Required)

      As defined in the Primaza architecture document, Primaza is higly focused on security and we don't want to be assigned with more permissions than we need.
      Identities we need to check are:

      • One registered on Worker cluster for Primaza to push agents in namespaces
      • The set of ones registered on Primaza for Worker Cluster's (namespace, namespace type, cluster environment) triple. namespace type is application or service

      See epic for arch document link.

      Glossary

      See glossary in architecture document

      Out of scope

      • agent permissions

      In Scope

      • permissions assigned to cluster environment related identity

      Approach(Required)

      When checking Primaza's permissions on a Cluster Environment we should check it is provided with too much permissions with respect to the required one.
      A common scenario may be the following: a cluster environment is updated to no more use a namespace, but permissions on the namespace itself has not been removed.

      A condition should be added to the Cluster Environment status to indicate the permission error with an extensive explanation of the problems identified.

      The list of permissions for the user can be retrieved using the auth can-i APIs, cfr kubectl auth can-i --list and https://github.com/kubernetes/kubectl/blob/master/pkg/cmd/auth/cani.go.

      Demo requirements(Required)

      NA

      Dependencies

      NA

      Edge Case

      NA

      BDD Tests

      You can find BDD Test specification for this story in the "Testing Instruction" Field Tab or in the GitHub Issue linked to this story.
      Click here for all BDD Tests Issues.

      Acceptance Criteria

      • Development
        ClusterEnvironment controller check if its user has too many privileges
        If too many permissions are provided a condition should be added to the ClusterEnvironment
      • QE
        There are test cases for over and right permissions scenario
      • Docs
        There is a page in our docs dedicated to explaining how to check if too many permissions are provided
        Update architecture document with any changes while implementing

      INVEST Checklist

      Dependencies identified
      Blockers noted and expected delivery timelines set
      Design is implementable
      Acceptance criteria agreed upon
      Story estimated

      Legend

      Unknown
      Verified
      Unsatisfied

              bmuthuka Baiju Muthukadan
              rh-ee-filario Francesco Ilario
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: