Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Limit privileges while running Actions #609

Open
pkosiec opened this issue Jan 21, 2022 · 0 comments
Open

Limit privileges while running Actions #609

pkosiec opened this issue Jan 21, 2022 · 0 comments
Labels
area/engine Relates to Engine area/hub-manifests Relates to Hub manifests enhancement New feature or request needs-triage Relates to issues that should be refined security Pull requests that fixes security issues
Milestone
0.7.0

Comments

@pkosiec
Copy link
Member

pkosiec commented Jan 21, 2022
edited
Loading

Description

Investigate how we can achieve the folllowing goals in Capact (ideally in a generic fashion):

  • Make sure to have as tight as possible privileges while running Action workflows
    • Kubernetes workloads
    • Terraform (AWS privileges)
      • Currently, for every Implementation that uses Terraform, there's no description which AWS permissions are needed, apart from MD document we create. Maybe we should enforce that while injecting AWS secrets into a given Action.

Probably we need to give a proper tools for content developer (to describe minimal permissions to run a given workflow) and also validate provided credentials (permissions)

The following tools may be helpful:

Outcome:

  • Create document with findings
  • Create epic to implement such functionality

Reason

Currently, every running Action has cluster admin privileges set for Argo workflow execution.
Also, we should make sure that the required set of permissions is as narrowed as possible for every Terraform run
@pkosiec pkosiec added enhancement New feature or request security Pull requests that fixes security issues area/engine Relates to Engine area/hub-manifests Relates to Hub manifests needs-triage Relates to issues that should be refined labels Jan 21, 2022
@pkosiec pkosiec added this to the 0.7.0 milestone Jan 27, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/engine Relates to Engine area/hub-manifests Relates to Hub manifests enhancement New feature or request needs-triage Relates to issues that should be refined security Pull requests that fixes security issues
Projects
None yet
Milestone
0.7.0
Development

No branches or pull requests
1 participant
@pkosiec