Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

When cordoning a tenant capsule should check if user is a member of capsuleUserGroup instead of tenantOwner #421

Closed
MaxFedotov opened this issue Sep 15, 2021 · 0 comments · Fixed by #422
Closed

When cordoning a tenant capsule should check if user is a member of capsuleUserGroup instead of tenantOwner #421

MaxFedotov opened this issue Sep 15, 2021 · 0 comments · Fixed by #422
Assignees
@MaxFedotov
Labels
bug Something isn't working
Milestone
v0.1.1

Comments

@MaxFedotov
Copy link
Collaborator

When the tenant is cordoned using capsule, we had a special check in webhook which verifies if a request to modify an object inside a tenant was made by Tenant owner or a service account.
But current realization had a problem - if access for a namespace inside a tenant was granted to the user using rolebindings created by tenant admin - the user will have permissions to modify objects (because he is not an owner of tenant)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@MaxFedotov MaxFedotov

Labels
bug Something isn't working
Projects
None yet
Milestone
v0.1.1
2 participants
@prometherion @MaxFedotov