Comments (4)
@bukovjanmic if I understand correctly, you are using a single instance of the Operator to manage Grafana instances and dashboards across a number of namespaces.
In that case WATCH_NAMESPACE
and the proposed WATCH_NAMESPACE_SELECTOR
won't help, because they limit the Operator itself to one or a number of namespaces.
You could probably work with roles and rolebindings per Grafana instance serviceaccount, but that becomes hard to manage.
A field acceptResourcesFromNamespaces
on the Grafana CR could work, we can discuss this on our next triage call.
from grafana-operator.
Yes, correct.
We discussed this as well and we think RBAC for the resources is the way to go, the operator should check if the Grafana instance service account has access right (RoleBinding) to the GrafanaDashboard/GrafanaDatasource resource.
acceptResourceFromNamespace will not solve the problem with malicious users - user could still create a Grafana instance, set acceptResourceFromNamespace to someone elses namespace and if he knows the correct labels, he can steal GrafanaDatasource credentials from GrafanaDatasource in namespace that he normally does not have access to (but Grafana operator does).
from grafana-operator.
I don't really understand why it isn't enough with using built in RBAC, if you are running the operator in namespace mode you will have to provide the operator SA with correct access to watch going on in a specific namespace when using WATCH_NAMESPACE
.
Or is it that you don't want to do that work, and you want to still use cluster level access for the operator?
This is a general issue in Kubernetes, and multiple operators have this issue. ArgoCD and Flux are both examples of this.
Personally, I don't think we should implement any solution around this in the operator, since it will increase the complexity of the operator. Potentially using something like acceptResourcesFromNamespaces
, is simple enough but start doing a bunch of RBAC "magic" on the side is a slippery slope.
Instead, I would suggest using a tool like OPA or kyverno to make sure that allowCrossNamespaceImport: true
can't be set.
Here is an example on how my old work used to enforce extra security around flux.
Just like, you need to make sure that ArgoCD applications can't use any projects you want.
I think we could write a blog on how to enforce OPA/kyverno settings, but I don't think it's something that we should solve in the operator using code.
from grafana-operator.
Related Issues (20)
- [Bug] grafana operator 5.6.0 -> 5.6.1 upgrade issues openshift HOT 28
- [Bug] instanceSelector.matchExpressions not working for GrafanaDatasource HOT 5
- Dashboard from configmap using selector HOT 4
- Grafana deployment with a Persistent Volume HOT 4
- Service account automountServiceAccountToken should be set to false HOT 3
- Service Account for grafana instance does not get annotations HOT 2
- [Bug] Unable to set custom secrets without defining grafana container image HOT 6
- watch namespaces using a label selector
- [Bug] Unable to upgrade from v5.6.0 on OpenShift HOT 11
- [doc] Grafana deployment with a Persistent Volume HOT 8
- Add make it possible to disable editing of a dashboard from a grafanadashboard CRD HOT 9
- ArgoCD healthcheck and GrafanaDashboard HOT 5
- Apply the default Grafana Version to the CR spec HOT 3
- Pull JSON from GitHub into Grafana for persistent existance of a dashboard HOT 6
- Add status conditions to all objects HOT 2
- Report error when using alerting on older Grafana versions
- Add support for Notification Policies
- Add support for Contact Points HOT 4
- [Bug] 5.7.0 auto upgrade image-pull-backoff HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from grafana-operator.