Details
-
Epic
-
Resolution: Done-Errata
-
Major
-
None
Description
Story: As a Quay administrator I want to disable remove the config-editor deployed by the Quay Operator so that I have a full audit-trail on the registry configuration.
Background: By default the config editor is deployed for every QuayRegistry instance which makes it difficult to establish an audit-trail over the registry's configuration. Anyone with access to the namespace, config editor secret and config editor route can use the config editor to make changes to the Quay configuration and their identity will not be logged anywhere in the system. By disabling removing the config-editor any config change will be forced through the config bundle property of the QuayRegistry resource which points to a Secret which is then subject to native Kubernetes auditing and logging.
Acceptance criteria:
the config editor becomes a managed component- the config editor is
enabled by defaultremoved and no longer available in an operator deployment the config editor can be disabled by setting its component to unmanagedduring updates from previous Quay operator versions the config editor component will be instantiated as a managed component which is enabled
Attachments
Issue Links
- is triggered by
-
PROJQUAY-3846 Ability to log into Quay config tool using LDAP credentials
-
- Closed
-
- links to
-
RHSA-2023:7341
Red Hat Quay v3.10.0 minor release
- mentioned on
1.
|
QE tracker |
|
Closed | 
|
Sean Zhao |
