-
Notifications
You must be signed in to change notification settings - Fork 419
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Users should only be able to create TriggerTemplates for resources they are permissioned to use #77
Comments
@pmorie what's a SAR check? (not a term I'm familiar with!) |
@pmorie this is a super interesting point - was discussing this a bit with @imjasonh and @dibyom - this issue must apply to pipelines as well? Sine a user can specify any service account they'd like in a Run definition, which will ulitmately get provided to arbitrary containers the user provides 🤔 @imjasonh also told me SAR might stand for It feels to me a bit out of scope for Triggers or Pipelines tho - what do you think? I could see having a guide to a best practices setup that points people towards setting this kind of thing up (maybe even tools/scripts/docs to help them get this right), but I'm not sure it should be a feature of the projects themselves? |
After investigating and thinking about this a bit more, I think the TL;DR is: afaik @pmorie is pointing out that in our current design, if a user can create an EventListener (with a serviceaccount that can make PipelineRuns, read TriggerBindings, etc.), and you can create Pipelines + Tasks, they'll then have additionally the ability to:
So basically for example you might intend for a user to only be able to run Pipeline Foo in a cluster in response to a webhook, but you may not realize you actually gave the user the ability to do nearly anything they want in the cluster. I'm not sure triggers or pipelines should solve this directly, but we might want to provide some guidance (and maybe even best practice setup Tasks like the one @akihikokuroda added!) for ppl to setup secure clusters, e.g. something like:
|
haha i am bad at TL;DRs XD |
Thought about this a bit more, but please correct me if I am wrong. Since Triggers only allow you to create the resources specified with the template, it is the responsibility of the service account to specify the permissions, where there is no permissions issue*. The caveat here is that from those resources generated, reconcilers might do auxiliary processes. For example, the service account may have the permission to create a |
To this point, maybe pipelines should require the service account to be able to create pods if it doesn't so already? |
Hey @vtereso First, given it was several months ago, if the question you asked here has already been answered (with the same conclusion as me), apologies for missing that and the added noise here :-) I believe the answer to your question is "no" in that the associated service account permission do not act as sufficient shield. My explanation as to "why" is tl;dr ... but I'll risk it in the hope of fully explaining the rationale, as well as laying out all the assumption details in case there are disconnects. I'll also preface this by stating I've in the past worked on "a controller that creates objects on behalf of users with varying permissions in a k8s cluster"
Now, you could just make the restriction that "no cluster admin level" creations will be allowed at all, and restrict the trigger controller in that way. But I could see cluster admins wanting to leverage tekton plumbing, including triggers, to do things like manipulate test clusters. What if they maintain cluster configuration in a git repo, and trigger cluster changes via PRs against the git repo, and then have those PRs trigger Tekton Pipelines to validate the config change? Now, admitting I'm still new to tekton triggers, but I see in the current sink code access to
It seems the opportunity will exists to, at least opt into, gathering the identity of the end requester and performing authorization checks. My hope is to craft a PR in the short term that would at least show what an implementation could look like. Then once everyone is comfortable with that logic, the community could decide how to connect the requesting user impersonation/authorization dots end to end and stage the changes in. Thoughts? @dibyom @vdemeester @pmorie FYI In any case, is there any programmatic way to make a determination on what prospective reconcilers would do? |
fyi I updated my prior comment #77 (comment) as I've looked at the code more and understand that
|
per sync call today I'm assigning to myself will update this with the WIP PR when I have it available |
/assign @gabemontero |
Intermediate update:
|
Issues go stale after 90d of inactivity. /lifecycle stale Send feedback to tektoncd/plumbing. |
Stale issues rot after 30d of inactivity. /lifecycle rotten Send feedback to tektoncd/plumbing. |
Rotten issues close after 30d of inactivity. /close Send feedback to tektoncd/plumbing. |
@tekton-robot: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
we've made some progress here with more granular RBAC. Do you think it makes sense to keep this closed or should we re-open @gabemontero ? |
/remove-lifecycle rotten @dibyom yeah the more granular RBAC is minimally a first step, but I think we should track this issue in conjunction with @khrm 's trigger CRD work; I'm curious as that reaches fruition if the serviceAccount associated with the trigger will be optional or not, along with how the trigger CRD work reconciles with #705 |
@gabemontero: Reopened this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Issues go stale after 90d of inactivity. /lifecycle stale Send feedback to tektoncd/plumbing. |
/remove-lifecycle stale I still need to revisit where @khrm is wrt the trigger CRD / multi-tenant event listener work etc. per #77 (comment) |
UPDATE: we had a centralized discussion on this in today's WG call today ... the skinny:
@dibyom @khrm please comment as needed if my summary missed something |
Issues go stale after 90d of inactivity. /lifecycle stale Send feedback to tektoncd/plumbing. |
/remove-lifecycle stale |
@gabemontero Interceptors now run in separate services. Is there anything else we need to do for this issue? (Somewhat related: #1077 (comment)) |
Yeah at this point, between what I see in https://github.com/tektoncd/triggers/blob/61544a05c554f7d18ab9e0c5b655de3105230cc7/examples/rbac.yaml, the existing restriction around templates only allowing creation tekton.dev objects, the existing ability I added last year to specify the SA used when those tekton.dev objects are created based on the template spec, interceptors separated, I'm good with closing this. If multi tenant EL ever does get to the point where we need to see if that rbac file changes to the point where creation in multiple namespaces are possible, we can revisit this concern in that context at that time. IMO I'm good with no longer tracking this here. |
Issues go stale after 90d of inactivity. /lifecycle stale Send feedback to tektoncd/plumbing. |
Stale issues rot after 30d of inactivity. /lifecycle rotten Send feedback to tektoncd/plumbing. |
Rotten issues close after 30d of inactivity. /close Send feedback to tektoncd/plumbing. |
@tekton-robot: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
In the current design, users would be able to use the
spec.resourceTemplates
field to escalate their degree of write permission within the cluster; users of TriggerTemplate are able to create any resource that the service account responsible for creating resources in a TriggerTemplate has permission to create. For example, if a user does not have access to create Pods, but the service account servicing TriggerTemplate does, a user could put a Pod intospec.resourceTemplates
and have it created.We should protect against this form of privilege escalation by having a validating webhook that uses information from the authorizer (this is part of the payload webhooks are passed) to make SAR checks that establish that the user creating or updating a TriggerTemplate has permission to create those resources in the cluster.
The text was updated successfully, but these errors were encountered: