On Wed, Feb 26, 2020 at 06:33:30PM +0100, Michael Scherer wrote:
> Hi,
>
> I have been asked to look at the build of the docsbuilding openshift app. However, I
> am not a appowners and do not have access to anything. My understanding is that
> either you are listed in appowners, and you can control the app, or you are not,
> and you can do nothing.
Not quite. If you are an appowner you can see things in the app, you
still use ansible to manage the app. So, it's more r/o access.
>
> I would propose that we revise that policy, and let (as a opt-in since I guess opt-out would be too
> radical) application be a bit more open.
>
> Since I tend to think that patch are clearer to express my intent than my words, a patch
> that would be a first draft of what I would like to see being implemented is attached.
>
> I am still reading openshift docs on ressources, to see if I missed and/or opened too much.
Well, this would basically make the apps readable/viewable for anyone
with a fas account. Since we authentication to ipsilon...
I'm -1 to that. Sometimes there's sensitive info in logs.
kevin
--
>
> --
> Michael Scherer
> From c831bb3f9cf79e6a517290a19db09934e7ee60d5 Mon Sep 17 00:00:00 2001
> From: Michael Scherer <misc@xxxxxxxx>
> Date: Wed, 26 Feb 2020 16:52:11 +0100
> Subject: [PATCH] Add a is_public flag
>
> This permit a appowner to let external people see the build or the status
> without having to have a FAS account, and/or be listed as a appowner.
> ---
> roles/openshift/project/defaults/main.yml | 1 +
> roles/openshift/project/tasks/main.yml | 15 +++++++++++++
> roles/openshift/project/templates/appviewers.yml | 12 +++++++++++
> .../openshift/project/templates/role-appowners.yml | 2 +-
> .../project/templates/role-appviewers.yml | 25 ++++++++++++++++++++++
> 5 files changed, 54 insertions(+), 1 deletion(-)
> create mode 100644 roles/openshift/project/templates/appviewers.yml
> create mode 100644 roles/openshift/project/templates/role-appviewers.yml
>
> diff --git a/roles/openshift/project/defaults/main.yml b/roles/openshift/project/defaults/main.yml
> index 41916fd..80b08c4 100644
> --- a/roles/openshift/project/defaults/main.yml
> +++ b/roles/openshift/project/defaults/main.yml
> @@ -1,5 +1,6 @@
> ---
> allow_fas_db: false
> allow_phx2: true
> +is_public: false
>
> egress_policy_template: "{{roles_path}}/openshift/project/templates/egresspolicy.yml"
> diff --git a/roles/openshift/project/tasks/main.yml b/roles/openshift/project/tasks/main.yml
> index 5a2c46c..320576d 100644
> --- a/roles/openshift/project/tasks/main.yml
> +++ b/roles/openshift/project/tasks/main.yml
> @@ -58,6 +58,21 @@
> objectname: appowners.yml
> template_fullpath: "{{roles_path}}/openshift/project/templates/appowners.yml"
>
> +- name: role-appviewers.yml
> + include_role:
> + name: openshift/object
> + vars:
> + objectname: role-appviewers.yml
> + template_fullpath: "{{roles_path}}/openshift/project/templates/role-appviewers.yml"
> +
> +- name: appviewers.yml
> + include_role:
> + name: openshift/object
> + vars:
> + objectname: appviewers.yml
> + template_fullpath: "{{roles_path}}/openshift/project/templates/appviewers.yml"
> + when: is_public
> +
> - name: ergresspolicy.yml
> include_role:
> name: openshift/object
> diff --git a/roles/openshift/project/templates/appviewers.yml b/roles/openshift/project/templates/appviewers.yml
> new file mode 100644
> index 0000000..8abbda5
> --- /dev/null
> +++ b/roles/openshift/project/templates/appviewers.yml
> @@ -0,0 +1,12 @@
> +apiVersion: v1
> +kind: RoleBinding
> +metadata:
> + namespace: "{{app}}"
> + name: appviewers
> +roleRef:
> + name: appviewers
> + namespace: "{{app}}"
> +subjects:
> +- kind: Group
> + name: system:unauthenticated
> + apiGroup: rbac.authorization.k8s.io
> diff --git a/roles/openshift/project/templates/role-appowners.yml b/roles/openshift/project/templates/role-appowners.yml
> index 3cb94c5..93cfa5b 100644
> --- a/roles/openshift/project/templates/role-appowners.yml
> +++ b/roles/openshift/project/templates/role-appowners.yml
> @@ -2,7 +2,7 @@ apiVersion: v1
> kind: Role
> metadata:
> annotations:
> - openshift.io/description: An application owner. Can view everything but ConfigMaps.
> + openshift.io/description: An application owner. Can view everything but ConfigMaps, and start build
> name: appowner
> namespace: "{{ app }}"
> rules:
> diff --git a/roles/openshift/project/templates/role-appviewers.yml b/roles/openshift/project/templates/role-appviewers.yml
> new file mode 100644
> index 0000000..f189c34
> --- /dev/null
> +++ b/roles/openshift/project/templates/role-appviewers.yml
> @@ -0,0 +1,25 @@
> +apiVersion: v1
> +kind: Role
> +metadata:
> + annotations:
> + openshift.io/description: An application viewer. Can view logs for everything.
> + name: appviewer
> + namespace: "{{ app }}"
> +rules:
> +- apiGroups:
> + - "*"
> + attributeRestrictions: null
> + resources:
> + - buildlogs
> + - builds
> + - builds/log
> + - deploymentconfigs/log
> + - deploymentconfigs/status
> + - imagestreams/status
> + - routes/status
> + - pods/log
> + - pods/status
> +verbs:
> + - get
> + - list
> + - watch
> --
> 1.8.3.1
>
> _______________________________________________
> infrastructure mailing list -- infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
> To unsubscribe send an email to infrastructure-leave@xxxxxxxxxxxxxxxxxxxxxxx
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ infrastructure mailing list -- infrastructure@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to infrastructure-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@xxxxxxxxxxxxxxxxxxxxxxx
