Deprecate cross-namespace refs and watching multiple namespaces #329
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
squaremo
added
security
impact/security
impact/breaking
squaremo
changed the title
squaremo
force-pushed
the
remove-multi-namespace
branch
from
b4f2bb4 to
350060c
Compare
lukehoban
approved these changes
Oct 4, 2022
Cross-namespace refs won't work with the provided configuration, which gives RBAC permissions for one namespace only. Granting permissions to other namespaces means they are also accessible to the programs run by stacks, which is a security hole. Therefore: guard the use of `api/pulumi/shared/SecretRef.Namespace`, and watching >1 (or all) namespaces with `WATCH_NAMESPACE`, with an environment variable `INSECURE_NO_NAMESPACE_ISOLATION`. This must be set to `1` or `true` to enable cross-namespace operation. Signed-off-by: Michael Bridgen <[email protected]>
Signed-off-by: Michael Bridgen <[email protected]>
errors.Wrap is used extensively to provide extra context to errors. The Go standard library now builds in wrapped errors, with `fmt.Errorf` and the formatting instruction `%w`. This commit replaces github.com/pkg/errors (which is archived) with uses of `fmt.Errorf`. Signed-off-by: Michael Bridgen <[email protected]>
- show that without INSECURE_NO_NAMESPACE_ISOLATION=true, the controller will fail a stack that uses a cross-ns ref - show that with the env entry, it succeeds Signed-off-by: Michael Bridgen <[email protected]>
If you have a cross-namespace ref in your Stack, and namespace isolation has not been waived, you will need to change the stack or reconfigure the controller in order to make progress. This commit introduces a tiny protocol (that could be used throughout, hint hint) so a helper func can signal that an error should stall the object, rather than letting it be retried; and, uses it in `resolveResourceRef` so that forbidden ref will result in a stalled state. Signed-off-by: Michael Bridgen <[email protected]>
squaremo
force-pushed
the
remove-multi-namespace
branch
from
350060c to
b3666ea
Compare
|
Hi, I have a question related to the namespace isolation is it possible to deploy one pulumi operator in one namespace to watch and create stacks across the cluster in all namespaces ? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Cross-namespace refs won't work with the provided configuration, which gives RBAC permissions for one namespace only. Granting permissions to other namespaces means they are also accessible to the programs run by stacks, which is a security hole.
Therefore: guard the use of
api/pulumi/shared/SecretRef.Namespace, and watching >1 (or all) namespaces withWATCH_NAMESPACE, with an environment variableINSECURE_NO_NAMESPACE_ISOLATION. This must be set to1ortrueto enable cross-namespace operation.This is a breaking change for anyone running the operator with either an empty value, or a comma-separated list (e.g.,
ns1,ns2forWATCH_NAMESPACE; and, for anyone using cross-namespace secret references (i.e., with a value in.namespaceunder one of the fields listed below). The documented means of installing the operator setsWATCH_NAMESPACEto be the namespace in which the operator is deployed.References in Stack which can be cross-namespace (
*indicates there's a list or map):.spec.envRefs[*].secret.spec.secretRefs[*].secret.spec.gitAuth.accessToken.secret.spec.gitAuth.sshAuth.sshPrivateKey.secret.spec.gitAuth.sshAuth.password.secret.spec.gitAuth.basicAuth.userName.secret.spec.gitAuth.basicAuth.password.secretTo fix the breakage:
WATCH_NAMESPACEwith an empty value or several values, modify your configuration so that you're running the operator in each namespace where you have Stack objects. (This PR extends the provided Pulumi programs so they will do this for you.)INSECURE_NO_NAMESPACE_ISOLATIONto the operator deployment spec, in the same place asWATCH_NAMESPACESis defined. Be aware that this is really only suitable for "single tenant" clusters -- when you are happy for anyone with access to have access to everything.