Uploaded image for project: 'OpenShift Request For Enhancement'
  1. OpenShift Request For Enhancement
  2. RFE-4251

ROSA block editing hive-owned objects via GitOps

XMLWordPrintable

    • Icon: Feature Request Feature Request
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • None
    • Hive
    • False
    • None
    • False
    • Not Selected

      1. Proposed title of this feature request
      ROSA block editing hive-owned objects via GitOps via admission webhooks

      2. What is the nature and description of the request?
      ROSA has guardrails in place in the form of validating webhooks to protect various parts of the platform from being edited by users. This also works for cluster-admin user made via `rosa create admin` command. But this is not always the case for GitOps-driven changes. Users often assign `cluster-admin` role to the `openshift-gitops-argocd-application-controller` sa, who in turn effortlessly creates machineconfigs etc.

      3. Why does the customer need this? (List the business requirements here)
      The more guardrails are in place - the more self-explanatory and self-content the product is, the less vendor involvement is necessary.
      Example: https://access.redhat.com/support/cases/#/case/03514092 (chrony config applied via gitops successfully)

      4. List any affected packages or components.

      https://github.com/openshift/managed-cluster-validating-webhooks

            rh-ee-adejong Aaren de Jong
            anestero@redhat.com Anton Nesterov
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated: