Comments (4)
What if your admission controller simply injects the following annotations into the user's pod:
annotations:
admission.trusted.identity/inject: "true"
tsi.secrets: |
- tsi.secret/name: "<dataset>_accessKeyID"
tsi.secret/constraints: "region,images"
tsi.secret/local-path: "tsi-secrets/<dataset>_accessKeyID"
- tsi.secret/name: "<dataset>_secretAccessKey"
tsi.secret/constraints: "region,images"
tsi.secret/local-path: "tsi-secrets/<dataset>_secretAccessKey"
where the constraints are defined by the level of security to be imposed for this data set (e.g. only containers in specific region and from a specific image can access this data object)
And TSI would obtain the secrets from Vault and inject them to the user's container at the location specifed by tsi.secret/local-path
What do you think @YiannisGkoufas ?
from datashim.
Why/How is the image the deciding factor? Should it be rather whether the user is supposed to have access to this dataset?
Or maybe there is a use case that is not obvious at first glance - can you elaborate?
from datashim.
@vpavlin, intially, we are trying to address the simples scenario, to make sure only images that pass the compliance requirements, e.g vularabilty scan, are able to access the dataset. The example when access to the datasets depends on the userid is more challanging, just because Kubernetes was designed with a notion that users sharing a particular namespace can also share the resources in that namespace. We need to re-think this use-case whether it actually makes sense to do that. Separating the access on the namespace level is trivial, however, when different users share a namespace, it becomes tricky.
from datashim.
Would be interesting to take this up but is not planned currently.
from datashim.
Related Issues (20)
- Missing affinity options for helm charts HOT 2
- DataSet Operator missing healthchecks
- change PVC Access Mode HOT 3
- Processes require root permissions to write to CSI-S3 volumes mounted in pods under OpenShift
- Unmounting CSI-S3 volumes results in errors in kubelet HOT 1
- RBAC for CSI NFS attacher does not provide needed access for resource "volumeattachments/status" HOT 1
- Mount error with CSI-S3 volumes in OpenShift
- Pod in Pending state, NFS share not attaching HOT 4
- csi-s3/kubelet error " umount: can't unmount /var/lib/kubelet/pods/.*/volumes/kubernetes.io~csi./*/mount: Invalid argument" HOT 1
- Bug: delete Dataset and containing namespace in quick succession can result in finalizer hang
- Feature request: pass ACCESS_TOKEN to S3 configuration HOT 2
- Deleting dataset before deleting the pod referring to the dataset leads to orphaned DatasetInternal objects HOT 1
- ci: Update testing action to wait for Dataset operator to be ready HOT 2
- If kind is a CRD dlf error on creating pod HOT 4
- Upgrade dependencies of the operator - to latest k8s and controller-runtime HOT 2
- Automount option HOT 1
- Revamp the project website
- Create an issue template for Datashim HOT 1
- Create a user survey for Datashim
- Issue with docker registry HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from datashim.