Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: least priv rbac creation #324

Merged
merged 28 commits into from
Oct 26, 2023
Merged

feat: least priv rbac creation #324

merged 28 commits into from
Oct 26, 2023

Conversation

cmwylie19
Copy link
Collaborator

@cmwylie19 cmwylie19 commented Oct 17, 2023
edited
Loading

Description

Build time flag --rbac-mode determines whether whether the ClusterRole for the Pepr ServiceAccount receives cluster-admin permissions (default) or scoped permissions based on the capability bindings.

Uses a reduce function to iterate over the capability's bindings and determine the verbs, plural, and groups needed in order to build a ClusterRoleBinding. That function is used in the createClusterRole function.

Includes:

  • docs
  • development
  • unit test
  • e2e test

Related Issue

Fixes #31

Relates to #

Type of change

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Other (security config, docs update, etc)

Checklist before merging

@netlify
Copy link

netlify bot commented Oct 20, 2023
edited
Loading

Deploy Preview for pepr-docs ready!

Name Link
🔨 Latest commit 38f1569
🔍 Latest deploy log https://app.netlify.com/sites/pepr-docs/deploys/653a82ec9d87930008c9d75f
😎 Deploy Preview https://deploy-preview-324--pepr-docs.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.
Lighthouse
Lighthouse		 1 paths audited
Performance: 53 (🔴 down 3 from production)
Accessibility: 100 (no change from production)
Best Practices: 100 (no change from production)
SEO: 92 (no change from production)
PWA: -
View the detailed breakdown and full score reports

To edit notification comments on pull requests, go to your Netlify site configuration.

@cmwylie19 cmwylie19 marked this pull request as ready for review October 21, 2023 21:27
@cmwylie19 cmwylie19 mentioned this pull request Oct 22, 2023
Merged
5 tasks
cmwylie19 added a commit that referenced this pull request Oct 23, 2023
@cmwylie19
docs: port over existing docs to hugo site (#334)
286e468 
## Description

Port over existing repo docs to the Hugo site.

AC: Ensure that all content is accurately and completely transferred,
maintaining its original meaning and structure. The documentation should
be consistently formatted, adhering to the Hugo site’s style guidelines,
with all links, images, and code snippets functioning correctly.
Additionally, the documentation must be easily navigable, responsive
across various devices, and fully compatible with different browsers,
ensuring a seamless user experience.

Will need to update
[`README.md`](https://github.com/defenseunicorns/pepr/blob/b6aadddc570fb5ac63e3c98a72eb81b0bf98b078/README.md?plain=1#L3)
when site goes live


## Related Issue

Fixes #332 
<!-- or -->
Relates to #324 (If any docs change, they need to change here)

## Type of change

- [ ] Bug fix (non-breaking change which fixes an issue)
- [ ] New feature (non-breaking change which adds functionality)
- [x] Other (security config, docs update, etc)

## Checklist before merging

- [x] Test, docs, adr added or updated as needed
- [x] [Contributor Guide
Steps](https://github.com/defenseunicorns/pepr/blob/main/CONTRIBUTING.md#submitting-a-pull-request)
followed

---------

Signed-off-by: Case Wylie <[email protected]>
btlghrants
btlghrants reviewed Oct 26, 2023
View reviewed changes
src/lib/assets/index.ts Outdated
@@ -40,8 +40,8 @@ export class Assets {

zarfYaml = (path: string) => zarfYaml(this, path);

allYaml = async () => {
allYaml = async (rbacMode: string = "") => {
Copy link
Collaborator

@btlghrants btlghrants Oct 26, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think I remember us talking about how the only two acceptable rbacMode values would be admin or scoped -- it's what we're enforcing in the cli cmds, right? And, since we've decided that the default-right-now behavior would be considered admin, I wonder what the utility of setting a default value of empty string here would be? As is, this implies that empty string is a valid value but is it?

I would sort have expected this to have a default value of "admin" (if we wanted to push the validation into the lib code) or to not have a default at all (if we wanted to just rely on the cli invocation).

src/lib/assets/yaml.ts Outdated
@@ -40,7 +40,7 @@ export function zarfYaml({ name, image, config }: Assets, path: string) {
return dumpYaml(zarfCfg, { noRefs: true });
}

export async function allYaml(assets: Assets) {
export async function allYaml(assets: Assets, rbacMode: string = "") {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Similar to question in src/lib/assets/index.ts, what's the purpose of a default empty string for rbacMode here? Seems a non-default-valued param would be better here because it wouldn't imply that "" was an expected value. 🤔

btlghrants
btlghrants approved these changes Oct 26, 2023
View reviewed changes
Copy link
Collaborator

@btlghrants btlghrants left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@cmwylie19 cmwylie19 changed the title feat: least priv RBAC creation feat: least priv rbac creation Oct 26, 2023
@cmwylie19 cmwylie19 merged commit 64be116 into main Oct 26, 2023
14 checks passed
@cmwylie19 cmwylie19 deleted the 31 branch October 26, 2023 16:13
@cmwylie19 cmwylie19 self-assigned this Aug 23, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@btlghrants btlghrants btlghrants approved these changes

@jeff-mccoy jeff-mccoy Awaiting requested review from jeff-mccoy

Assignees

@cmwylie19 cmwylie19

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Make ClusterRole, Webhook bindings restricted to current module
2 participants
@cmwylie19 @btlghrants