-
Notifications
You must be signed in to change notification settings - Fork 3.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: Adds SSO control via individual namespaces. Fixes #6916 #6990
Conversation
a19b902
to
b94bcb2
Compare
…j#6921) Signed-off-by: Alex Collins <[email protected]> Signed-off-by: bjenuhb <[email protected]>
Signed-off-by: bjenuhb <[email protected]>
Signed-off-by: bjenuhb <[email protected]>
Signed-off-by: bjenuhb <[email protected]>
Signed-off-by: bjenuhb <[email protected]>
Signed-off-by: bjenuhb <[email protected]>
Signed-off-by: bjenuhb <[email protected]>
Signed-off-by: bjenuhb <[email protected]>
cfe3ef7
to
bb1262c
Compare
Signed-off-by: bjenuhb <[email protected]>
…nto feat/sso-multitenancy Signed-off-by: bjenuhb <[email protected]>
Signed-off-by: bjenuhb <[email protected]>
Signed-off-by: bjenuhb <[email protected]>
Signed-off-by: bjenuhb <[email protected]>
Signed-off-by: bjenuhb <[email protected]>
Signed-off-by: bjenuhb <[email protected]>
Signed-off-by: bjenuhb <[email protected]>
Signed-off-by: bjenuhb <[email protected]>
Signed-off-by: bjenuhb <[email protected]>
Signed-off-by: bjenuhb <[email protected]>
Signed-off-by: bjenuhb <[email protected]>
Codecov Report
@@ Coverage Diff @@
## master #6990 +/- ##
==========================================
+ Coverage 48.52% 48.59% +0.06%
==========================================
Files 265 267 +2
Lines 19382 19365 -17
==========================================
+ Hits 9406 9410 +4
+ Misses 8922 8897 -25
- Partials 1054 1058 +4
Continue to review full report at Codecov.
|
Signed-off-by: bjenuhb <[email protected]>
Signed-off-by: bjenuhb <[email protected]>
Signed-off-by: bjenuhb <[email protected]>
Signed-off-by: bjenuhb <[email protected]>
Signed-off-by: bjenuhb <[email protected]>
Signed-off-by: bjenuhb <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
some minor changes, but I think we are otherwise there
Signed-off-by: bjenuhb <[email protected]>
Signed-off-by: bjenuhb <[email protected]>
Signed-off-by: bjenuhb <[email protected]>
@alexec Made suggested changes |
@@ -109,8 +113,16 @@ func init() { | |||
} | |||
} | |||
|
|||
func getResourceCacheNamespace(opts ArgoServerOpts) string { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think you always want to use opts.managedNamespace?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I thought about it.
Case 1
- Installed argo in cluster mode
- In this case, we need to look at service accounts of multiple namespaces
- So use
NamespaceAll
for this
Case 2
- Installed argo in namespace mode
- In this case, we need to see service accounts of installed namespace (typically
argo
) - So use
opt.Namespace
for this
Case 3
- Installed argo in managed namespace mode
- So, in this case say, we use
argo
namespace for installation, anduser-namespace
for usage - So, for login, I would still need to use service accounts of
argo
namespace - Still use
opt.Namespace
for this
Since for case 2 and 3, we only need service accounts of a single namespace,
we will just use the installation namespace which is the namespace
opt, and not managedNamespace
opt
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Case 1:
cacheNamespace == managedNamespace == "" == NamespaceAll
namespace == "argo"
Case 2:
cacheNamespace == managedNamespace == namespace == "argo"
Case 3:
managedNamespace == userNamespace
namespace == "argo"
cacheNamespace == ???
So it is case 3 that is odd. It should be whatever it is today, which I think is "argo", which seems wrong to me. I would actually think you'd want the user namespace. But history is history.
Lets make this overridable with config, so if we are wrong, then we can change out mind.
Maybe call it ssoNamespace
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ok, we can use ssoNamespace
so for case 1 we will set ssoNamespace
= NamespaceAll
For Case 2 and 3 we will set ssoNamespace
= namespace (typically argo)
Will make these changes
@alexec Can you please tag this PR with |
Signed-off-by: bjenuhb <[email protected]>
@alexec
|
Signed-off-by: bjenuhb <[email protected]>
Signed-off-by: bjenuhb <[email protected]>
Signed-off-by: bjenuhb <[email protected]>
…nto feat/sso-multitenancy Signed-off-by: bjenuhb <[email protected]>
Try syncing with master to fix builds. |
…nto feat/sso-multitenancy Signed-off-by: bjenuhb <[email protected]>
Approach
serviceAccount
inargo
namespace based on rules and precedenceserviceAccount
in the namespace for which request is originatedserviceaccounts
in requested namespace to find a match based on rules and precedenceservice account
to fulfil the operationThis is more of an impersonation approach from argo service account to user namespace service account
Notes
/metrics
and how (and if we need) to delegate thereSSO_DELEGATE_RBAC_TO_NAMESPACE
is set totrue
and we install argo argo in cluster mode