Pipeline level RBAC

Introduction

Role-based access control (RBAC) restricts access based on the roles of individual users within an organization. OpsMx Pipeline level RBAC feature restricts access at the pipeline level within an application.

Pipeline RBAC feature is disabled by default

To Enable Pipeline RBAC

  • Connect to Spinnaker halyard pod using the command below:

kubectl exec -it <NAME_OF_THE_HALYARD_POD> -n <YOUR_NAMESPACE> bash
  • Do the following changes in the hal config file. Search for authz and enable it.

authz:
       groupMembership:
         service: "EXTERNAL"
         google:
           roleProviderType: "GOOGLE"
         github:
           roleProviderType: "GITHUB"
         file:
           roleProviderType: "FILE"
         ldap:
           roleProviderType: "LDAP"
       enabled: true

  1. Access to the GitHub repository where Spinnaker is configured and locate the Gate secret & fiat, front50 and orca yaml files under the ~/.hal/default/profiles.

  2. Set pipeline: rbac: true in the orca.yml, fiat.yml and front50.yml files.

  3. Run the following command to apply the changes: - hal deploy apply.

  4. Save the changes and exit.

  5. Restart the gate service.

  6. Wait for all the 3 pods to restart successfully.

To verify if the Pipeline RBAC is enabled or not

Follow the steps provided below to verify if pipeline RBAC is enabled or not:

  1. Port-forward the fiat service by running the following command from your terminal

kubectl port-forward service/spin <fiat-service-name> 7003:7003 -n <Your Namespace>
  1. Once port-forwarded the fiat service, access the following url from your browser: http://localhost:7003/authorize/<VALID-USERNAME>

You will get the list of Applications & Pipelines

Search for pipelines to check if the list of pipelines are listed. If you are seeing the list of pipelines - then Pipeline level RBAC is enabled successfully.

To provide Pipeline-level RBAC Access

Admin can restrict access to the pipeline's Read, Write, and Execute functions to a specific user group. Through this access, users can define who can edit the pipeline configuration, execute the pipeline, and delete the pipeline.

Prerequisite

The following config change will be updated through helm.

To use the Pipeline level RBAC feature, the fiat configuration in the all gate secret would be enabled by default. If not, set it to true, as shown below.

Fiat:
  baseUrl:http://spin-fiat:
  enabled: true
  host: 0.0.0.0
  port: 7003

Instructions

Follow the steps below to provide pipeline-level RBAC access:

  1. Access to the GitHub repository where Spinnaker is configured and locate the fiat-local-yaml file in the path “~/default/profiles/fiat-local.yaml”.

  2. Update the aggregate and prefix details in the fiat-local-yaml file as mentioned below:

    auth.permissions.provider.pipeline: aggregate 
    auth.permissions.source.pipeline.Prefix:
  3. Prefix: Provide any prefix name with “*” mark (Example: “dev*”) as shown below:

    Note: The pipeline name should begin with the prefix provided here. Here we have mentioned the prefix “dev*”.

  4. Pipeline Prefix: As mentioned above, a pipeline was created with a specified prefix.

  5. Permissions: Specify the READ, WRITE and EXECUTE permissions to the specific user group as shown in the below image:

    Note: In the above example, we provided access as follows:

    • devteam group has READ permission only

    • qateam group has READ, WRITE and EXECUTE permissions

  6. We have only provided READ access to the devteam group, WRITE and EXECUTE permissions are not provided. So, this user group can view a specific pipeline and will not be able to modify, execute or delete the pipeline. If the user tries to edit, execute or delete the pipeline, an error message will be displayed as shown below:

    • If a restricted user tries to Edit the pipeline, the following error message is displayed:

    • If a restricted user tries to Execute the pipeline, the following error message is displayed:

    • If a restricted user tries to Delete the pipeline, the following error message is displayed:

Last updated