[MediaWiki-commits] [Gerrit] operations/puppet[production]: tools: Allow readonly access to all namespace objects

Wed, 15 Mar 2017 10:25:24 -0700 

Yuvipanda has submitted this change and it was merged. ( 
https://gerrit.wikimedia.org/r/341191 )

Change subject: tools: Allow readonly access to all namespace objects
......................................................................


tools: Allow readonly access to all namespace objects

This isn't private information, and seems to be required for
helm to work properly

Change-Id: I5f634da42b53c076ee3f95c646a5945b8c2d8d09
---
M modules/toollabs/files/maintain-kubeusers
1 file changed, 17 insertions(+), 0 deletions(-)

Approvals:
  Yuvipanda: Verified; Looks good to me, approved



diff --git a/modules/toollabs/files/maintain-kubeusers 
b/modules/toollabs/files/maintain-kubeusers
index f9e4972..a880237 100755
--- a/modules/toollabs/files/maintain-kubeusers
+++ b/modules/toollabs/files/maintain-kubeusers
@@ -185,6 +185,23 @@
                 "apiGroup": "*",
             }
         }
+        # This allows all users to get info about all namespaces,
+        # but not to edit them. This is important, because
+        # readonly access to all namespaces is needed for helm
+        # to work, but we must make sure users can't write to
+        # namespaces - since that could allow them to modify the
+        # RunAsUser annotation and gain root on the cluster.
+        yield {
+            "apiVersion": "abac.authorization.kubernetes.io/v1beta1",
+            "kind": "Policy",
+            "spec": {
+                "user": "*",
+                "resource": "namespaces",
+                "readonly": True,
+                "apiGroup": "*",
+                "namespace": "*"
+            }
+        }
 
         for user in users:
             if user.group == 'tool':

-- 
To view, visit https://gerrit.wikimedia.org/r/341191
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: merged
Gerrit-Change-Id: I5f634da42b53c076ee3f95c646a5945b8c2d8d09
Gerrit-PatchSet: 4
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Yuvipanda <[email protected]>
Gerrit-Reviewer: Coren <[email protected]>
Gerrit-Reviewer: Giuseppe Lavagetto <[email protected]>
Gerrit-Reviewer: Merlijn van Deen <[email protected]>
Gerrit-Reviewer: Yuvipanda <[email protected]>
Gerrit-Reviewer: jenkins-bot <>

_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to