introduce authentication/authorization at the EventListenerTrigger le… #454
Conversation
tekton-robot
added
the
do-not-merge/work-in-progress
tekton-robot
added
the
size/XL
|
Hi @gabemontero. Thanks for your PR. I'm waiting for a tektoncd member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
tekton-robot
added
the
needs-ok-to-test
|
I'll defer on assigning reviewers myself until either one of the project admins does it, or after we've discussed this PR on the sync call and decided who should get assigned. |
gabemontero
changed the title
tekton-robot
removed
the
do-not-merge/work-in-progress
|
/work-in-progress cancel |
|
/assign @wlynch |
|
/ok-to-test |
tekton-robot
added
ok-to-test
|
The following is the coverage report on pkg/.
|
gabemontero
force-pushed
the
sink-impersonate
branch
from
3ff64cb to
ede030f
Compare
|
ok at least fixed the gofmt 's need to look into my new integration test |
|
The following is the coverage report on pkg/.
|
|
my new test's reuse needs some work /work-in-progress |
gabemontero
changed the title
tekton-robot
added
the
do-not-merge/work-in-progress
|
quick update: I have my new auth test passing locally when I temporary disable the existing test, in that the trigger SA without perms is getting forbidden on the create resources attempt. When I next get to this I'll either:
|
gabemontero
force-pushed
the
sink-impersonate
branch
from
ede030f to
6ecb8c2
Compare
gabemontero
changed the title
gabemontero
force-pushed
the
sink-impersonate
branch
from
63c7adf to
6a10180
Compare
|
The following is the coverage report on pkg/.
|
gabemontero
force-pushed
the
sink-impersonate
branch
from
6a10180 to
29146ce
Compare
|
The following is the coverage report on pkg/.
|
gabemontero
force-pushed
the
sink-impersonate
branch
from
29146ce to
1f769bc
Compare
|
The following is the coverage report on pkg/.
|
gabemontero
force-pushed
the
sink-impersonate
branch
from
1f769bc to
e20ac37
Compare
|
The following is the coverage report on pkg/.
|
|
Need another rebase ... |
…vel (with default back to existing EventListener level)
gabemontero
force-pushed
the
sink-impersonate
branch
from
e20ac37 to
9380395
Compare
|
The following is the coverage report on pkg/.
|
|
Perhaps another "scenario", I also have some usage experience from other CI systems which I believe have bearing here. I certainly don't think it makes sense to reference it in the doc updates in any way. And I thought I mentioned it on prior calls, but if need be, I can further detail / reiterate in either forum. Perhaps a discussion point for today's call. |
|
latest rebase up / tests clean |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: dibyom The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
tekton-robot
added
the
approved
|
/lgtm |
|
/retest |
|
Thanks for adding this @gabemontero Appreciate your patience with this PR! |
My pleasure @dibyom and likewise appreciate the patience and openness wrt the PR. Authorization related matters are certainly not to be taken lightly.
I would agree. Poking around the examples, it seems like we would add the new SA and a more precise/specific set of roles under https://github.com/tektoncd/triggers/tree/master/examples/role-resources , and then provide an alternative to the example you noted accordingly, agree ? I'm thinking I'm going to circle back with @khrm @siamaksade and @vdemeester on my end and see if we want to do a short term example independent of @khrm 's upcoming work, or if that might land reasonably soon, and use that instead to drive the example. One of us will report back once we've had a chance to confer. thanks again |
Yeah, we'd need a couple of more specific roles/SAs. They could either live with the example itself or in the role-resources folder...the role resources folder is meant for more of the "common" resources that are shared between multiple examples.
Sounds good to me! Thank you! |
…vel (with default back to existing EventListener level)
Changes
While this does not fully address #77, this change intends to provide more more granular authorization, besides just the
EventListenerservice account,and sets the stage for "multi-tenant themed" authorization around creating tekton resources
from triggers and the
EventListenersink.As discussed in recent instances of the weekly project sync call, the actual employing of SubjectAccessReview checks (and the k8s admission related resources those would require) belongs in the https://github.com/tektoncd/pipelines project, where the identity and permissions
around the existing SA of the
EventListeneror the new SA for theEventListenerTriggerintroduced here would be used for any SAR calls in the core pipeline controller.As such, we could ultimately gate merging of this, if we reached consensus on this, on that tektoncd/pipeline work. However, this change does not require that work. And it provides an opt in
to finer grained control over which if the tekton CRD types can be created from a given trigger.
And certainly, while reviewing this, if finer grained authorization is deemed desirable at all, one possible outcome is that we want even finer grained control, and incorporate service account on objects with say the
EventListenerTriggerSubmitter Checklist
These are the criteria that every PR should meet, please check them off as you
review them:
See the contribution guide for more details.
Release Notes
The specification of a service account on the
EventListenerTriggeris now available as an override of the service account of theEventListenerto facilitate permissions changes wrt creating Tekton objects as a result of the sink receiving an event.