Pipeline pull request promotions security review ADR #110
Conversation
makkes
force-pushed
the
pipelines-security
branch
2 times, most recently
from
ea00c5f to
88e2c2a
Compare
makkes
force-pushed
the
pipelines-security
branch
from
88e2c2a to
ca9826c
Compare
docs/adrs/0017-pipeline-security.md
Outdated
| - We will add documentation to provide clear guidance on how to create a fine-grained token with as little scope as necessary. | ||
| - We will add documentation clarifying what we use the token for, so that folks can make informed decisions about how to create it (for example, if you say "Every Pull Request will show up as being created by the user behind the access token", folks might think "Hmmm..., I don’t think that should be my token"). | ||
|
|
||
| ### Design improvements |
There was a problem hiding this comment.
If you're going to store PATs, then you have some other considerations...
- Make it clear in the frontend when the token is not longer valid "The stored token is no longer valid"
- Make it clear in the frontend which user the token is from
For 1, we built an endpoint that called this https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user in the background, and reported a failure if it was no longer valid.
This needs to be cached, otherwise it uses API counts each time (think several users loading the page).
For 2 we used the response to render the "gravatar_url" in the UI which helped users
"Oh, the token was created by John, he left last week, that's probably why it's failing"
There was a problem hiding this comment.
docs/adrs/0017-pipeline-security.md
Outdated
| ### Design improvements | ||
|
|
||
|
|
||
|
|
There was a problem hiding this comment.
Suggestions (not in any particular order)
- extend documentation to provide by git provider examples on how to achieve the setup that we consider the most secure
- ensure that pipeline controller has all the checks required to avoid escaping from the right security context - for example opening pull request in a repo that is not the pipeline one, etc ...
|
i will come back to the ADR once covered the docs PR weaveworks/weave-gitops#3426 |
docs/adrs/0017-pipeline-security.md
Outdated
|
|
||
|
|
||
|
|
||
| ## Consequences |
There was a problem hiding this comment.
to pair with @yiannistri and @ahsayde to understand what we could leverage from policy and secrets to enhance pipelines security
docs/adrs/0017-pipeline-security.md
Outdated
|
|
||
| ## Consequences | ||
|
|
||
| tbd |
There was a problem hiding this comment.
From @bigkevmcd , @MostafaMegahid @yiannistri @enekofb
Scenario A:
As app team that want to leverage pull request creation
automation but having full control
-> i am developer g
- go to wg pipelines
- my pipeline has some configuration for this pull request manual
- there is a new version, so there is deployment happening by flux
- there is promotion pending
- promotion dev to test approved interactively by developer A
via oauth access token (currently we dont have) - if there is a promotion going from test to prod we could
a) cache the token (with short XXX)
b) request another authn
Scenario B:
As app team i want to leverage pull request creation automation
with maximum security https://fluxcd.io/flux/guides/image-update/
a) assumption we have a token
- create branch no pull request
-> what is the security here? there is a branch so the user
a.1) create the secret in an admin protected ns so the admin
acts a as gatekeeper for approving, etc ...
for pipeline-system- granularity -> assuming that the token can only give access
to resource for the operation. - short-live -> ephimeral token -> generate
- granularity -> assuming that the token can only give access
b) we dont have a token (expensive to build )
as pipeline controller i am able to generate an ephimeral token
to create a pr for a particular actions
- option a: github apps
- option b: github apps like generic -> vault backend
enekofb
changed the title
enekofb
force-pushed
the
pipelines-security
branch
from
4ab3d0d to
5506a71
Compare
Co-authored-by: Yiannis <8741709+yiannistri@users.noreply.github.com>
Co-authored-by: Yiannis <8741709+yiannistri@users.noreply.github.com>
Co-authored-by: Yiannis <8741709+yiannistri@users.noreply.github.com>
Closes weaveworks/weave-gitops-enterprise#2472