Skip to content
This repository has been archived by the owner on Nov 20, 2023. It is now read-only.

What is the suggestion for security around image promotion? #304

Open
alberttwong opened this issue Mar 19, 2020 · 3 comments
Open

What is the suggestion for security around image promotion? #304

alberttwong opened this issue Mar 19, 2020 · 3 comments

Comments

@alberttwong
Copy link

alberttwong commented Mar 19, 2020
edited
Loading

Our OCP environment is one cluster with environments being separated by projects. We know that images are promoted by using the “oc tag” command. Is there any security around this? Can I tag an image into a project that I do not have access to, since it is a shared image registry?

http://v1.uncontained.io/playbooks/continuous_delivery/image_promotion.html
@sabre1041
Copy link
Contributor

No. The registry obey's OpenShift RBAC

@alberttwong
Copy link
Author

So if OCP RBAC doesn't grant you access to the container registry namespace, you won't get access to the image?

@sabre1041
Copy link
Contributor

@alberttwong it is based on the namespace of where the image is stored within, not the namespace of where the registry is located.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@alberttwong @sabre1041