Update ACLs, add namespace.write permission#2029
Conversation
…shicorp/consul-k8s into bug/gateway-controller-incomplete-acl
sarahalsmiller
changed the title
| partition "{{ .PartitionName }}" { | ||
| mesh = "write" | ||
| acl = "write" | ||
| operator = "write" |
There was a problem hiding this comment.
Is operator = "write" within the partition needed (this feels like more permission than we may want to grant our controller), or is
namespace_prefix "" {
policy = "write"
}
sufficient?
https://developer.hashicorp.com/consul/commands/namespace/create does say operator:write is required, but that may be inaccurate, as https://developer.hashicorp.com/consul/docs/security/acl/acl-rules#namespace-rules seems to indicate the latter policy would be sufficient?
There was a problem hiding this comment.
+1 to Mike, it's worth investigating if we can avoid operator:write. And I saw this comment: https://github.com/hashicorp/consul-k8s/blob/main/control-plane/subcommand/server-acl-init/rules.go#L40-L41 higher up in the file as well, which indicates operator=write cannot be done within a partition anyways. Not sure if it'll cause issues when deployed (possibly not since you've tested this), but it sounds like if that's the case it should be possible to not include operator:write.
There was a problem hiding this comment.
After additional testing, I have removed the operator:write permission. I think in the initial tests it was simply ignoring the operator:write permission.
There was a problem hiding this comment.
Also worth nothing, I'm not sure what was wrong with my env on friday, but on this round of testing, the fix worked with both api gateway 1.5.1 and 1.5.2
There was a problem hiding this comment.
I assume you mean API Gateway 0.5.1 and 0.5.2?
mikemorris
changed the title
|
@sarahalsmiller Just an FYI, just linked #1911 to this PR. |
4 participants
Changes proposed in this PR:
How I've tested this PR:
How I expect reviewers to test this PR:
Checklist: