Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft: Write policy to isolate personal namespaces to single user #25

Open
blairdrummond opened this issue Feb 17, 2022 · 2 comments
Open

Comments

@blairdrummond
Copy link
Contributor

If the Profile is not labelled with created-by: aaw-kubeflow-profiles https://github.com/StatCan/aaw-kubeflow-profiles/blob/8466791696aa55f6a21a8f6784c209a56e9f9ebe/profile.libsonnet#L92 , then only the owner AuthorizationPolicy and RoleBinding should be allowed.

Additionally, we should fix this in the UI, so that the option to manage your own namespace is not present if it's a personal namespace.

@brendangadd are you OK with this?

@blairdrummond blairdrummond changed the title Write policy to isolate personal namespaces to single user Draft: Write policy to isolate personal namespaces to single user Feb 17, 2022
@brendangadd
Copy link

@blairdrummond Would need evidence that this is needed, especially since Protected information is not provisioned for personal namespaces.

If we did implement this, it would need UI updates in central-dashboard to make this fact clear to the user:

  • Hide contributors field
  • Message explaining why

@blairdrummond
Copy link
Contributor Author

Main thing I'm thinking is that there'd be a higher likelihood of personal access tokens for personal github, etc, in the personal namespace

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants