Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[opsportal] All authenticated #420

Merged
merged 4 commits into from
Feb 11, 2020
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion stable/opsportal/Chart.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ appVersion: 1.0.0
home: https://github.com/mesosphere/charts
description: OpsPortal Chart
name: opsportal
version: 0.2.3
version: 0.2.4
maintainers:
- name: hectorj2f
- name: alejandroEsc
Expand Down
18 changes: 18 additions & 0 deletions stable/opsportal/templates/ingress-opsportal-rolebinding.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
{{- if and .Values.opsportalRBAC.enabled .Values.opsportalRBAC.allowAllAuthenticated }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: opsportal-authenticated-admin
labels:
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
app.kubernetes.io/instance: {{ .Release.Name | quote }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
roleRef:
apiGroup: rbac.authorization.k8s.io
name: opsportal-admin
kind: ClusterRole
subjects:
- apiGroup: "rbac.authorization.k8s.io"
kind: Group
name: system:authenticated
{{- end}}
7 changes: 7 additions & 0 deletions stable/opsportal/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,13 @@ opsportalRBAC:
enabled: true
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: should we make rbac false by default, for now? It is anyway enabled in Kubernetes-base-addons

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's leave the chart values at what is recommended. We can override that in Addons if we want to maintain compatibility with previous deployments.

path: /ops/portal
graphqlPath: /ops/portal/graphql
## traefik-forward-auth 2.0 introduces RBAC support and now requires that users, regardless of whitelist,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

docs++

## be allowed access to a resource via explicit RBAC policy. Upon upgrade, whitelisted users would no longer
## have access to ops portal resources unless an appropriate role binding existed. To prevent breakage,
## the allowAllAuthenticated option, when true, will result in the group `system:allauthenticated` being bound to
## to the opsportal-admin role. This mimics the existing security policy where any authenticated and whitelisted user
## has full access to the opsportal. This option will be removed in the 0.3 release of this chart.
allowAllAuthenticated: false

kibanaRBAC:
enabled: true
Expand Down