Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Get rid of get secrets permission of dashboard client #1338

Closed
4 tasks done
petersutter opened this issue Nov 4, 2022 · 3 comments
Closed
4 tasks done

Get rid of get secrets permission of dashboard client #1338

petersutter opened this issue Nov 4, 2022 · 3 comments
Labels
component/dashboard Gardener Dashboard kind/enhancement Enhancement, improvement, extension lifecycle/rotten Nobody worked on this for 12 months (final aging stage) status/closed Issue is closed (either delivered or triaged)

Comments

@petersutter
Copy link
Member

petersutter commented Nov 4, 2022
edited
Loading

What would you like to be added:
The get secrets permission of the dashboard client (which is "almost" as powerful as having the cluster-admin permission) is required for:

dashboard/charts/gardener-dashboard/charts/application/templates/clusterrole.yaml

Lines 63 to 69 in 79703af

# required for terminal bootstrapping and gardener/dashboard#943
- apiGroups:
- ""
resources:
- secrets
verbs:
- get

To get rid of the get secret permission we need to solve

Why is this needed:
@petersutter petersutter added kind/enhancement Enhancement, improvement, extension component/dashboard Gardener Dashboard labels Nov 4, 2022
@petersutter petersutter changed the title Get rid of get secrets Get rid of get secrets permission Nov 4, 2022
@petersutter petersutter mentioned this issue Nov 4, 2022
Closed
@vlerenc
Copy link
Member

vlerenc commented Nov 8, 2022

Out of curiosity: Isn't the title somewhat misleading? The dashboard will always require permissions to read and write (cloud provider) secrets, but in that case (different than viewers), it's done with the end user token or what's the (current) state?

@petersutter petersutter changed the title Get rid of get secrets permission Get rid of get secrets permission of dashboard client Nov 8, 2022
@petersutter
Copy link
Member Author

petersutter commented Nov 8, 2022
edited
Loading

yes correct. We always use the users token to read / write cloud provider secrets, but to read the monitoring secret we take the dashboard user https://github.com/gardener/dashboard/blob/master/backend/lib/services/shoots.js#L317-L324
I have updated the title accordingly so that it is clear that I'm talking about the dashboard client.

@gardener-robot gardener-robot added the lifecycle/stale Nobody worked on this for 6 months (will further age) label Jul 18, 2023
@gardener-robot gardener-robot added lifecycle/rotten Nobody worked on this for 12 months (final aging stage) and removed lifecycle/stale Nobody worked on this for 6 months (will further age) labels Mar 26, 2024
@petersutter petersutter mentioned this issue May 28, 2024
Closed
4 tasks
@petersutter
Copy link
Member Author

/close all tasks done

@gardener-robot gardener-robot added the status/closed Issue is closed (either delivered or triaged) label Oct 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
component/dashboard Gardener Dashboard kind/enhancement Enhancement, improvement, extension lifecycle/rotten Nobody worked on this for 12 months (final aging stage) status/closed Issue is closed (either delivered or triaged)
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@vlerenc @petersutter @gardener-robot