Uploaded image for project: 'Red Hat Internal Developer Platform'
  1. Red Hat Internal Developer Platform
  2. RHIDP-7433

Properly add permissions to the Tekton plugin

XMLWordPrintable

    • 1
    • False
    • Hide

      None

      Show
      None
    • False
    • Hide
      = The Tekton-specific permission `tekton.view.read` is removed

      Previously, the Tekton plugin used `tekton.view.read` permission to control access. Users were unable to configure Tekton permissions using the RBAC UI. With this update, users can configure Kubernetes plugin permissions using the RBAC UI, which now governs the access to the Tekton plugin. You can now use Kubernetes plugin permissions `kubernetes.clusters.read`, `kubernetes.resources.read` and `kubernetes.proxy` for the Tekton plugin, as the Tekton-specific permission `tekton.view.read` is removed.

      If you are using a CSV permission file, update the following lines:

      .Old Tekton permission definition
      [source,csv]
      ----
      p, role:default/tekton-viewer, tekton.view.read, read, allow
      p, role:default/tekton-viewer, kubernetes.proxy, use, allow
      ----

      .New Tekton permission definition
      [source,csv]
      ----
      p, role:default/tekton-viewer, kubernetes.clusters.read, read, allow
      p, role:default/tekton-viewer, kubernetes.resources.read, read, allow
      p, role:default/tekton-viewer, kubernetes.proxy, use, allow
      ----
      Show
      = The Tekton-specific permission `tekton.view.read` is removed Previously, the Tekton plugin used `tekton.view.read` permission to control access. Users were unable to configure Tekton permissions using the RBAC UI. With this update, users can configure Kubernetes plugin permissions using the RBAC UI, which now governs the access to the Tekton plugin. You can now use Kubernetes plugin permissions `kubernetes.clusters.read`, `kubernetes.resources.read` and `kubernetes.proxy` for the Tekton plugin, as the Tekton-specific permission `tekton.view.read` is removed. If you are using a CSV permission file, update the following lines: .Old Tekton permission definition [source,csv] ---- p, role:default/tekton-viewer, tekton.view.read, read, allow p, role:default/tekton-viewer, kubernetes.proxy, use, allow ---- .New Tekton permission definition [source,csv] ---- p, role:default/tekton-viewer, kubernetes.clusters.read, read, allow p, role:default/tekton-viewer, kubernetes.resources.read, read, allow p, role:default/tekton-viewer, kubernetes.proxy, use, allow ----
    • Removed Functionality
    • Done

      Story

      As a user of RHDH, I want to be able to create permissions for the Tekton plugin through the use of the RBAC UI so that users can have limited access to the Tekton plugin.

      Background

      Today, there are a number of plugins that have implemented permissions that are unable to be viewed from within the RBAC UI. This is because they are either missing the permission declaration through the use of passing them to the `createPermissionIntegrationRouter` in their respective backend or they do not have a backend plugin at all. These plugins include: Topology, Tekton, Quay, and Red Hat ArgoCD.

       

      The Tekton plugin does not have a backend plugin of its own, instead it relies on the Upstream Backstage Kubernetes backend plugin. As such we have current work that involves adding permissions to the Kubernetes backend plugin. When merged, we can replace the old Tekton plugin permission with the newly create Kubernetes plugin permissions.

      Dependencies and Blockers

      Another team owns the Tekton plugins.

      Waiting on Backstage to review and merge changes to the Kubernetes plugins.

      QE impacted work

      Documentation impacted work

      Acceptance Criteria

      upstream documentation updates (design docs, release notes etc)

      Technical enablement / Demo

              rhn-support-jmagak Judith Amondi Magak
              rh-ee-dzemanov Dominika Zemanovicova
              RHIDP - Plugins
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: