-
Notifications
You must be signed in to change notification settings - Fork 323
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Decoupling Consul's Role-Based Access Control (RBAC) from the core system. #4276
base: main
Are you sure you want to change the base?
Conversation
This pull request appears to be targeted spam. |
Hi @boruszak This is a valid requirement from our organization. I have added enough explanation about the requirement. Is need more information or details, will be happy to answer . |
@payalsu Can you provide a little more detail as to why your organization needs to manage the RBAC permissions separately from the Helm chart? How do you plan to keep your external RBAC definitions up-to-date with changes to the Helm chart that require changes to K8s RBAC configs? |
@payalsu I closed the PR for security reasons. 1) This PR makes what appear to be substantial changes to the software's security operations, but the GitHub account is a month old, 2) there are no other contributions or indications of organization affinity on the GitHub account, and 3) the review request was targeted at the documentation review alias, despite the fact that the changes are not documentation changes. Please respond to the questions from @blake, who can evaluate the pull request and decide whether to reopen it. |
Hi @blake As a result, we want the ability to add a feature flag to disable the RBAC installation and manage that using a separate RBAC specific helm chart. We will maintain that chart as we upgrade Consul to newer versions. I believe this use case is valid and it enhances security by allowing cluster administrators with higher levels of permissions to manage the sensitive RBAC resources, while restricting other users with less permissions to install the application itself. If you require further clarification on this use case, I would be happy to provide more information. |
Hi |
Hi |
Changes proposed in this PR
The goal of this requirement is to enhance the security architecture by decoupling Consul's Role-Based Access Control (RBAC) from the core system. This change is aimed at allowing Consul RBAC to be installed and configured as a prerequisite, ensuring that the permissions required to install the application and the cluster level RBAC can be managed independently. By implementing this solution, we will improve access management, reduce security risks, and streamline RBAC architecture.
Goals:
Decoupling RBAC: Implement a mechanism that allows Consul RBAC to function independently of the Consul cluster, promoting a modular architecture.
Minimizing Permissions: Ensure that users responsible for installing the RBAC and application operate with the least privilege principle, mitigating the risk posed by overly broad permissions.
Improving Security Posture: Enhance the overall security of applications by limiting the attack surface exposed to potential threats.
Benefits:
Enhanced Security: Reducing cluster-wide permissions decreases the risk of unauthorized access and potential vulnerabilities.
Easier Compliance: By enabling granular access controls, organizations can more easily comply with security standards and regulations.
Operational Efficiency: Streamlined RBAC permissions management leads to a more efficient development and deployment process, reducing friction between teams.
How I've tested this PR
How I expect reviewers to test this PR
Checklist