Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Limit users who are allowed to use the User Impersonation Feature via an Admission Controller #134

Closed
alewitt2 opened this issue Feb 17, 2021 · 1 comment
Labels
enhancement New feature or request

Comments

@alewitt2
Copy link
Member

an extension of #104, now that user impersonation is available, we need to enforce it for users who have direct cluster access.

The admission controller should enforce a users id on razeedeploy resources, unless they are authorized via the kube api to impersonate another user, in which case we will allow them to specify a different user than themselves.

the admission controller should be able to make an api call to kube api, given the user id, ask kube if the user has the required access to do user impersonation. given the response from kube, we either leave the user impersonation field in the razeedeploy resource as is, or update it to the requesting user's id before allowing it to be applied to the cluster.

@alewitt2 alewitt2 added the enhancement New feature or request label Feb 17, 2021
@alewitt2
Copy link
Member Author

duplicate of razee-io/razeedeploy-core#189

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

1 participant