Remove ExportData token permission if host-requests are disabled #670
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…s-requests is true.
meik99
suggested changes
Mar 28, 2022
meik99
previously approved these changes
Mar 29, 2022
|
Hi @meik99, |
luhi-DT
changed the title
meik99
previously approved these changes
Mar 29, 2022
|
@meik99 any update on a merge date? |
|
Hi @chrismuellner thank you for merging the latest On which end do we have to fix the failing tests? Locally they are green, don't know where the difference stems from? |
|
auto-merge was automatically disabled
April 26, 2022 07:20
Head branch was pushed to by a user without write access
|
Failing |
|
Thanks! Just making sure the Actions run through before merging. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
…s-requests is true.
Description
summary of the change:
This PR validates the APITokens' scopes in case that a Dynakube instance is annotated with the
alpha.operator.dynatrace.com/feature-disable-hosts-requests: "true"even if there is noExportDatapermission (since this permission is never used in this case).relevant motivation and context
Dynatrace Operator will be used in our enterprise landscape by several hundred teams to monitor their K8s clusters in a single-tenant Dynatrace Environment. Due to strict data privacy rules, we cannot allow that regular users get such broad read access on v1 API of Dynatrace as the
ExportDatapermission scope would provide.From my analysis of the code, the
ExportDatapermission of the provided APIToken is never really required ifautomatic kubernetes api monitoring is not enabled and the annotation
alpha.operator.dynatrace.com/feature-disable-hosts-requests: "true"on the dynakube instance is present.Since such a least-privilege approach is feasible without losing Dynatrace's monitoring capabilities (one only looses some comfort imho), I suggest to enable it also in code, although not making it the default.
How can this be tested?
What environment is necessary for the change to be noticeable ?
What needs to be enabled/applied for the change to be noticeable ?
dynakubesecret with an APIToken that grants nothing else thanInstallerDownloadpermissionsfeature.dynatrace.com/disable-hosts-requests: "true"on the dynakube instancemissing scopeserror on startup, the dynakube instance is spawned without any complaintChecklist