Skip to content

Limit privileges while running Actions #609

Open
Open
Limit privileges while running Actions#609
Labels
area/engineRelates to Enginearea/hub-manifestsRelates to Hub manifestsenhancementNew feature or requestneeds-triageRelates to issues that should be refinedsecurityPull requests that fixes security issues
Milestone
0.7.0
@pkosiec

Description

@pkosiec
pkosiec
opened on Jan 21, 2022

Description

Investigate how we can achieve the folllowing goals in Capact (ideally in a generic fashion):

  • Make sure to have as tight as possible privileges while running Action workflows
    • Kubernetes workloads
    • Terraform (AWS privileges)
      • Currently, for every Implementation that uses Terraform, there's no description which AWS permissions are needed, apart from MD document we create. Maybe we should enforce that while injecting AWS secrets into a given Action.

Probably we need to give a proper tools for content developer (to describe minimal permissions to run a given workflow) and also validate provided credentials (permissions)

The following tools may be helpful:

Outcome:

  • Create document with findings
  • Create epic to implement such functionality

Reason

Currently, every running Action has cluster admin privileges set for Argo workflow execution.
Also, we should make sure that the required set of permissions is as narrowed as possible for every Terraform run

Metadata

Metadata

Assignees

No one assigned

    Labels

    area/engineRelates to Enginearea/hub-manifestsRelates to Hub manifestsenhancementNew feature or requestneeds-triageRelates to issues that should be refinedsecurityPull requests that fixes security issues

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions