-
Notifications
You must be signed in to change notification settings - Fork 54
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Extend workspace SA permissions to all secrets/configmaps in namespace #1165
Conversation
Update the default permissions granted to DevWorkspaces to allow read/write access for all secrets/configmaps in the workspace's namespace. Signed-off-by: Angel Misevski <amisevsk@redhat.com>
Codecov ReportPatch coverage:
Additional details and impacted files@@ Coverage Diff @@
## main #1165 +/- ##
==========================================
- Coverage 52.53% 52.52% -0.02%
==========================================
Files 82 82
Lines 7460 7458 -2
==========================================
- Hits 3919 3917 -2
- Misses 3260 3261 +1
+ Partials 281 280 -1
☔ View full report in Codecov by Sentry. |
@amisevsk |
Signed-off-by: Angel Misevski <amisevsk@redhat.com>
Looking Roman's changes for testing, the issue is that the new permissions still don't contain the I've pushed an updated image to |
@amisevsk I've tested it again and can confirm that now it's possible to get |
@amisevsk @l0rd |
After discussion, we've decided to go ahead with this change. @l0rd @AObuchow @RomanNikitenko please review this PR when you have time. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM: my (potentially naive) thoughts are that all workspaces created by Che are in a user-owned namespace, and that any resources in that namespace are available to the user anyhow.
If someone, were to grant another user access to their workspace (maybe through some pair-programming extension) then this could be potentially abused.
@RomanNikitenko: changing LGTM is restricted to collaborators In response to this: Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: amisevsk, AObuchow, RomanNikitenko The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
What does this PR do?
Update the default permissions granted to DevWorkspaces to allow read/write access for all secrets/configmaps in the workspace's namespace.
We should decide if the privilege escalation here represents an issue before merging this PR. With this change, permissions to create DevWorkspaces = permissions to read/write all secrets/configmaps in the current namespace.
What issues does this PR fix or reference?
No issue currently.
Is it tested? How?
Changes are pushed to
quay.io/amisevsk/devworkspace-controller:workspace-permissions
PR Checklist
/test v8-devworkspace-operator-e2e, v8-che-happy-path
to trigger)v8-devworkspace-operator-e2e
: DevWorkspace e2e testv8-che-happy-path
: Happy path for verification integration with Che