Hi,
I have been asked to look at the build of the docsbuilding openshift app. However, I am not a appowners and do not have access to anything. My understanding is that either you are listed in appowners, and you can control the app, or you are not, and you can do nothing.
I would propose that we revise that policy, and let (as a opt-in since I guess opt-out would be too radical) application be a bit more open.
Since I tend to think that patch are clearer to express my intent than my words, a patch that would be a first draft of what I would like to see being implemented is attached.
I am still reading openshift docs on ressources, to see if I missed and/or opened too much.
On Wed, Feb 26, 2020 at 06:33:30PM +0100, Michael Scherer wrote:
Hi,
I have been asked to look at the build of the docsbuilding openshift app. However, I am not a appowners and do not have access to anything. My understanding is that either you are listed in appowners, and you can control the app, or you are not, and you can do nothing.
Not quite. If you are an appowner you can see things in the app, you still use ansible to manage the app. So, it's more r/o access.
I would propose that we revise that policy, and let (as a opt-in since I guess opt-out would be too radical) application be a bit more open.
Since I tend to think that patch are clearer to express my intent than my words, a patch that would be a first draft of what I would like to see being implemented is attached.
I am still reading openshift docs on ressources, to see if I missed and/or opened too much.
Well, this would basically make the apps readable/viewable for anyone with a fas account. Since we authentication to ipsilon...
I'm -1 to that. Sometimes there's sensitive info in logs.
kevin --
-- Michael Scherer
From c831bb3f9cf79e6a517290a19db09934e7ee60d5 Mon Sep 17 00:00:00 2001 From: Michael Scherer misc@zarb.org Date: Wed, 26 Feb 2020 16:52:11 +0100 Subject: [PATCH] Add a is_public flag
This permit a appowner to let external people see the build or the status without having to have a FAS account, and/or be listed as a appowner.
roles/openshift/project/defaults/main.yml | 1 + roles/openshift/project/tasks/main.yml | 15 +++++++++++++ roles/openshift/project/templates/appviewers.yml | 12 +++++++++++ .../openshift/project/templates/role-appowners.yml | 2 +- .../project/templates/role-appviewers.yml | 25 ++++++++++++++++++++++ 5 files changed, 54 insertions(+), 1 deletion(-) create mode 100644 roles/openshift/project/templates/appviewers.yml create mode 100644 roles/openshift/project/templates/role-appviewers.yml
diff --git a/roles/openshift/project/defaults/main.yml b/roles/openshift/project/defaults/main.yml index 41916fd..80b08c4 100644 --- a/roles/openshift/project/defaults/main.yml +++ b/roles/openshift/project/defaults/main.yml @@ -1,5 +1,6 @@
allow_fas_db: false allow_phx2: true +is_public: false
egress_policy_template: "{{roles_path}}/openshift/project/templates/egresspolicy.yml" diff --git a/roles/openshift/project/tasks/main.yml b/roles/openshift/project/tasks/main.yml index 5a2c46c..320576d 100644 --- a/roles/openshift/project/tasks/main.yml +++ b/roles/openshift/project/tasks/main.yml @@ -58,6 +58,21 @@ objectname: appowners.yml template_fullpath: "{{roles_path}}/openshift/project/templates/appowners.yml"
+- name: role-appviewers.yml
- include_role:
- name: openshift/object
- vars:
- objectname: role-appviewers.yml
- template_fullpath: "{{roles_path}}/openshift/project/templates/role-appviewers.yml"
+- name: appviewers.yml
- include_role:
- name: openshift/object
- vars:
- objectname: appviewers.yml
- template_fullpath: "{{roles_path}}/openshift/project/templates/appviewers.yml"
- when: is_public
- name: ergresspolicy.yml include_role: name: openshift/object
diff --git a/roles/openshift/project/templates/appviewers.yml b/roles/openshift/project/templates/appviewers.yml new file mode 100644 index 0000000..8abbda5 --- /dev/null +++ b/roles/openshift/project/templates/appviewers.yml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: RoleBinding +metadata:
- namespace: "{{app}}"
- name: appviewers
+roleRef:
- name: appviewers
- namespace: "{{app}}"
+subjects: +- kind: Group
- name: system:unauthenticated
- apiGroup: rbac.authorization.k8s.io
diff --git a/roles/openshift/project/templates/role-appowners.yml b/roles/openshift/project/templates/role-appowners.yml index 3cb94c5..93cfa5b 100644 --- a/roles/openshift/project/templates/role-appowners.yml +++ b/roles/openshift/project/templates/role-appowners.yml @@ -2,7 +2,7 @@ apiVersion: v1 kind: Role metadata: annotations:
- openshift.io/description: An application owner. Can view everything but ConfigMaps.
- openshift.io/description: An application owner. Can view everything but ConfigMaps, and start build name: appowner namespace: "{{ app }}"
rules: diff --git a/roles/openshift/project/templates/role-appviewers.yml b/roles/openshift/project/templates/role-appviewers.yml new file mode 100644 index 0000000..f189c34 --- /dev/null +++ b/roles/openshift/project/templates/role-appviewers.yml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Role +metadata:
- annotations:
- openshift.io/description: An application viewer. Can view logs for everything.
- name: appviewer
- namespace: "{{ app }}"
+rules: +- apiGroups:
- "*"
- attributeRestrictions: null
- resources:
- buildlogs
- builds
- builds/log
- deploymentconfigs/log
- deploymentconfigs/status
- imagestreams/status
- routes/status
- pods/log
- pods/status
+verbs:
- get
- list
- watch
-- 1.8.3.1
infrastructure mailing list -- infrastructure@lists.fedoraproject.org To unsubscribe send an email to infrastructure-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedorapro...
infrastructure@lists.fedoraproject.org