Uploaded image for project: 'Hybrid Cloud Console'
  1. Hybrid Cloud Console
  2. RHCLOUD-42278

Define K8s RBAC for exec/rsh into Kessel Debug Pod

XMLWordPrintable

    • Product / Portfolio Work
    • 3
    • False
    • Hide

      None

      Show
      None
    • False
    • None
    • Unset
    • None

      The goal of the Kessel Debug container is to provide an all encompassing tool for accessing and troubleshooting Kessel services by AppSRE. It would be beneficial however if Kessel engineers had permission to access the debug container when its running, to aid in troubleshooting or perform any tasks needed that may be difficult to translate to AppSRE

      We should define a specific role/rolebinding that grants us access to rsh/exec to the debug pod when its running, but not grant access to actually run the deployment itself. This would ensure some security via a 2-member process so that engineers outside of AppSRE don't have access to a container in prod with the ability to impact production. The goal is that AppSRE would spin up the container for us, and then we could access it.

      Done Criteria

      • Define a role/rolebinding that could be leveraged to grant members of the `kessel` team acces to the pod when running
      • Get AppSRE permissions for this role and add to App Interface
      • Update any documentation on the process to using the debug container including app SOPs in App Interface

              anatale.openshift Antony Natale
              rh-ee-tcreller Tyler Creller
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated: