[DevWorkspace] Make it possible to bind namespace role to a namespace service-account #20749
Comments
vinokurig
added
kind/task
che-bot
added
the
status/need-triage
mshaposhnik
added
team/controller
severity/P2
svor
added
severity/P1
|
The DevWorkspace Operator has to be limited in what permissions it offers to the workspace service account -- any permissions the workspace SA gets can be used by anyone with DevWorkspace RBAC permissions, so there's a risk of privilege escalation. Currently, the RBAC provisioned for workspace ServiceAccounts is shown here. This role+rolebinding supercedes any role/rolebinding created by Che. The We can extend this role but I would like to be careful to extend it minimally while supporting as wide a set of use-cases as possible. To this end, there are 3 options I see:
I'm happy to do any of the above options, but I also don't want to commit to a path without discussion. Option 1 likely makes the most sense from a backwards compatibility perspective, as Theia is already using |
what exactly two secrets do you mean by
To use secrets from editors we need an access to them. In DW workspace we use token from DW servie-account which is not binded to the secretes role.
We need to have permissions for both service accounts, for dev-workspace SA ( |
|
The # Within workspace pod
$ curl --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt \
-H "Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
"https://kubernetes.default/api/v1/namespaces/$(cat /var/run/secrets/kubernetes.io/serviceaccount/namespace)/secrets/workspace-credentials-secret"
{
"kind": "Secret",
"apiVersion": "v1",
"metadata": {
[...]
}If no other secret access is required, then DWO already provides all access needed.
PR eclipse-che/che-server#174 attempts to add privileges to access an additional secret, Before committing to extending the workspace SA with additional privileges, I'd like to discuss the options and make sure the path chosen makes sense going forward (e.g. I think having access to a credentials secret and a preferences configmap will be more useful in the future than two specific secrets). |
|
Hi, a question to the assignee of this issue: Will the outcome require any changes to the relevant content of the Installation Guide or Administration Guide or End-user Guide? Yes/No? |
We need to have |
|
The question I'm asking is whether we should add In other words, as an abstract user of DevWorkspaces, would I prefer having access to two secrets, named |
|
Is there a point of having workspace preferences be a secret other then the fact that there is some theia code that makes it easier to interact with secrets? If I were a random user of devworkspace IMO I would expect workspace preferences to be in a configmap rather then a secret |
|
There is no technical reason for storing preferences in secret but not in config-map, so I am +1 to have a config-map |
|
@vinokurig Great! PR devfile/devworkspace-operator#675 should add the required permissions; it will be included in the v0.11.0 release of DWO. |
|
Closing as devfile/devworkspace-operator#675 is merged |
Is your task related to a problem? Please describe
When provisioning a namespace, Che sets
serviceAccountNameasche-workspace, but in the DevWorkspace installation we have another Service Account likeworkspace<workspace id>-sawhich is actually used for a workspace. So when creating a role binding it is binded to theche-workspaceservice account, but when I make a kubernetes request from a workspace container it is using a token of theworkspace<workspace id>-saservice account.Describe the solution you'd like
Need to have a way to bind namespace roles to a namespace service-account.
Describe alternatives you've considered
No response
Additional context
No response
The text was updated successfully, but these errors were encountered: