-
Story
-
Resolution: Unresolved
-
Normal
-
None
-
Product / Portfolio Work
-
3
-
False
-
-
False
-
None
-
Unset
-
None
-
-
-
The goal of the Kessel Debug container is to provide an all encompassing tool for accessing and troubleshooting Kessel services by AppSRE. It would be beneficial however if Kessel engineers had permission to access the debug container when its running, to aid in troubleshooting or perform any tasks needed that may be difficult to translate to AppSRE
We should define a specific role/rolebinding that grants us access to rsh/exec to the debug pod when its running, but not grant access to actually run the deployment itself. This would ensure some security via a 2-member process so that engineers outside of AppSRE don't have access to a container in prod with the ability to impact production. The goal is that AppSRE would spin up the container for us, and then we could access it.
Done Criteria
- Define a role/rolebinding that could be leveraged to grant members of the `kessel` team acces to the pod when running
- Get AppSRE permissions for this role and add to App Interface
- Update any documentation on the process to using the debug container including app SOPs in App Interface
- is caused by
-
RHCLOUD-41957 [Spike] SpiceDB access
-
- Closed
-