-
Story
-
Resolution: Unresolved
-
Undefined
-
None
-
None
-
False
-
-
False
-
None
-
No
-
---
-
---
-
Goal: create a POC that adds an SCC to a job definition on rehearsal for an eligible user
We added the restriction to a small number of eligible users to narrow the attack window of possibly malicious activities (i.e. exploiting secrets, ...)
It was discussed that limiting the rehearsal to only some users provides an inconvenience for others, since they need to ask people to run the rehearsal for them. (Which people exactly are suffering and how often?)
An idea was to create a special SCC that is added to rehearsal jobs started by privileged users that allows i.e. the change of mounting secrets etc.
We want to explore how we can implement and also integrate such a restriction (i.e. can we just add the SCC to the job when it is created or do we need to modify the prow-controller-manager). Outcome should be a POC.