Uploaded image for project: 'OpenShift Virtualization'
  1. OpenShift Virtualization
  2. CNV-40958

All new features should have granular access control

XMLWordPrintable

    • granular-feature-access-control
    • False
    • Hide

      None

      Show
      None
    • False
      • Process defined such that all new features will have more granular access control than cluster-wide on/off
      • Able to restrict feature while VMs exist still utilizing feature
    • None
    • To Do
    • ---
    • ---

      Feature gates are a simple method to enable or disable a feature within a component or product.

      With CNV's ever increasing footprint and attack-surface, having the ability to restrict a feature with greater granularity would allow an admin to respond to newly identified threats quickly and without a major disruption of service.

      Expected limitations:

      • Feature gates are a simple on/off switch, with cluster-wide impact.
      • A feature cannot be disabled if any VM is utilizing the feature.

      Scenario:
      Feature A is enabled cluster-wide and not limited by any means. A security issue is discovered with feature A, but the admin requires this feature on a select group of VMs. Unable to restrict with granularity, the admin must disable the feature, however since there are many VMs utilizing the feature (some expected, some not), VM creation must be blocked and those VMs removed before the feature gate can be disabled. This causes service downtime that will affect the admin and all VM users.

      Recommendation:
      All new features should provide granular access control (namespace/role) allowing the admin to restrict features as desired with minimal impact to service. In the above scenario, the admin would be able to limit the feature to the VMs required and remove all other VMs that are in violation of this policy, all while new VMs not utilizing this feature may continue to be created.

      Exceptions:
      There should be minimal exceptions to this granular access control

              dholler@redhat.com Dominik Holler
              rhn-support-sbennert Sarah Bennert
              Geetika Kapoor Geetika Kapoor
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated: