-
Notifications
You must be signed in to change notification settings - Fork 137
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remove ExportData token permission if host-requests are disabled #670
Remove ExportData token permission if host-requests are disabled #670
Conversation
…s-requests is true.
Hi @meik99, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was just confused about an internal process, you're good
@meik99 any update on a merge date? |
Hi @chrismuellner thank you for merging the latest On which end do we have to fix the failing tests? Locally they are green, don't know where the difference stems from? |
|
Head branch was pushed to by a user without write access
Failing |
Thanks! Just making sure the Actions run through before merging. |
…s-requests is true.
Description
summary of the change:
This PR validates the APITokens' scopes in case that a Dynakube instance is annotated with the
alpha.operator.dynatrace.com/feature-disable-hosts-requests: "true"
even if there is noExportData
permission (since this permission is never used in this case).relevant motivation and context
Dynatrace Operator will be used in our enterprise landscape by several hundred teams to monitor their K8s clusters in a single-tenant Dynatrace Environment. Due to strict data privacy rules, we cannot allow that regular users get such broad read access on v1 API of Dynatrace as the
ExportData
permission scope would provide.From my analysis of the code, the
ExportData
permission of the provided APIToken is never really required ifautomatic kubernetes api monitoring is not enabled and the annotation
alpha.operator.dynatrace.com/feature-disable-hosts-requests: "true"
on the dynakube instance is present.Since such a least-privilege approach is feasible without losing Dynatrace's monitoring capabilities (one only looses some comfort imho), I suggest to enable it also in code, although not making it the default.
How can this be tested?
What environment is necessary for the change to be noticeable ?
What needs to be enabled/applied for the change to be noticeable ?
dynakube
secret with an APIToken that grants nothing else thanInstallerDownload
permissionsfeature.dynatrace.com/disable-hosts-requests: "true"
on the dynakube instancemissing scopes
error on startup, the dynakube instance is spawned without any complaintChecklist