Configuring access control

Restrict resources in a company environment

Codefresh provides several complementary ways for access control within an organization:

  • Role-based access: Role-based access, restricts access to parts of the Codefresh UI intended for account administrators. For example, only an account administrator should be able to change integrations with git providers and cloud services.

  • Attribute-based access control (ABAC): Policy-based access control via attributes (ABAC), restricts access to Add Kubernetes clusters with policy attributes. This option allows account administrators to define exactly which teams have access to which clusters and pipelines. For example, you can grant access to production clusters only to a subset of trusted developers/operators. On the other hand, access to a QA/staging cluster can be less strict.

  • Git-repository access: Restrict the Git repositories used to load pipeline definitions.

Role-based access for users and administrators

Role-based access, as either a user or an administrator, is usually defined when you add users to Codefresh accounts.

To add users and assign or change user roles, you must be an administrator yourself.

User roles for access control

User roles for access control

The table below lists the functionality available for role-based access.

Functionality Available for Role
Run pipelines User and Admin
View Docker images User and Admin
Inspect text reports User and Admin
Git Integrations Admin
External Docker registry settings Admin
External Helm repositories Admin
Cloud provider settings Admin
Cloud storage settings Admin
Shared configuration Admin
API token generation Admin
SSO Settings Admin
Runtime environment selection Admin
Slack settings Admin
Audit logs Admin
ABAC for Kubernetes clusters Admin
Billing and charging Admin

ABAC access control for Kubernetes clusters and pipelines

ABAC (Attribute-Based Access Control), allows fine-grained access to Kubernetes clusters and pipelines. See (ABAC.

ABAC access control includes:

  1. Assigning custom attributes to your Kubernetes clusters
  2. Assiging custom attributes to your pipelines
  3. Defining rules as policies using teams, clusters, and attributes (who, what, where)

Add Kubernetes clusters with policy attributes

After adding Kubernetes clusters, you can configure clusters with multiple tags.

Tag names are arbitrary, and can be anything you choose that matches your company process. You can tag your clusters with product names, software lifecycle phases, department names, or name that helps your security policies.

You can assign multiple tags to each cluster, making it easy to define multiple policies on the same cluster. For example, per project and per team.

Cluster tags

Cluster tags

Before you begin

How to

  1. Expand the provider under which you added the cluster.
  2. Mouse over the cluster to which to add tags or attributes, and then click Edit tags on the right. The Tags page displays existing tags if any, and allows you to add multiple tags for a single cluster.

Assigning tags to a cluster

Assigning tags to a cluster
  1. Click Add and type in the tag.
  2. Continue to add tags and when finished, click Save.

By default, all clusters, with and without tags, are displayed and can be edited by all users (but not deleted). As soon as you add at least one tag to a cluster, the cluster is only accessible to users with the required policy rules (explained in the next sections).

Configure pipelines with policy attributes

Similar to Kubernetes clusters, you can also add tags to specific pipelines.

Before you begin

How to

  1. In the Codefresh UI, from Pipelines in the sidebar, select Pipelines.
  2. In the row with the target pipline, click the context menu for the pipeline, and then select Edit tags.
  3. Type in the new tag, press Enter, and continue to add the tags you need.
  4. When finished, click Save.

Assigning attributes to a pipeline

Assigning attributes to a pipeline

Define rules for access control

Define security rules using the who, what, where pattern to control access to clusters and pipelines by departments, projects, roles etc.

For each rule you define, select:

  1. The team the rule applies to
  2. Cluster privileges (Create/delete/read/update) or pipeline privileges (Create/delete/read/run/update)
  3. Effective tags

Before you begin

How to

  1. In the Codefresh UI, on the toolbar, click the Settings icon and then select Account Settings.
  2. On the sidebar, from Access & Collaboration, select Permissions.
  3. For each entity, do the following to define a rule:
    1. Select the team to which assign the rule.
    2. Select the permissions to assign to the team for that entity.
    3. Select either all clusters with tags (All tags) or all clusters that are untagged (Without tags).

Kubernetes policies

Kubernetes policies

Description of privileges

For clusters:

  • Create: cluster creation requires someone to be account administrator anyway so currently this permission isn’t really necessary .
  • Read - can only see existing allowed clusters without any ability to change them.
  • Update - can see and edit existing allowed cluster resources (which means also perform installation, removal and rollbacks of Helm charts). Tags are managed from account settings, so this permission doesn’t apply to it currently.
  • Delete - cluster removal requires someone to be account administrator anyway so currently this permission isn’t really necessary.

For pipelines:

  • Create - can only create new pipelines, not see, edit (which includes tagging them) or delete them. This permission should also go hand in hand with additional permissions like read/edit untagged pipelines.
  • Read - view allowed pipelines only.
  • Update - see and edit allowed pipelines only (including tagging them).
  • Delete - can delete allowed pipelines only.
  • Run - can run allowed pipelines only.
  • Approve - resume pipelines that are waiting for manual approval.
  • Debug - allow the usage of the pipeline debugger.

Git-repository access restrictions

By default, users can load pipeline definitions when creating a pipeline, from the inline editor, or any private or public Git repository.

You can change the default behavior to restrict loading pipeline definitions from specific Git repositories or completely disable loading the definitions from all Git repositories.

Enable/disable access to pipeline YAMLs by source

Enable or disable access to pipeline definition YAMLs based on the source of the YAML. These global settings are effective for all pipelines in the account and enables or disables that method of pipeline creation from the Codefresh UI. pipeline definitions from:

  • The inline editor in the Codefresh UI: Disabling the inline editor for example, disables new and all existing pipelines with pipeline definitions defined in the Codefresh editor. The Run button is disabled for all such piplines.
  • Any Git repository connected to Codefresh
  • Any public URL
  1. In the Codefresh UI, on the toolbar, click the Settings icon and then select Account Settings.
  2. From Configuration on the sidebar, select Pipeline Settings.

Global pipeline restrictions

Global pipeline restrictions
  1. Turn on or off the options as needed.

Define access to Git repositories for pipeline YAMLs

If access to pipeline definitions are enabled for Git repositories, you can configure fine-grained restrictions through the integrations settings for your Git provider.

  1. In the Codefresh UI, on the toolbar, click the Settings icon and then select Account Settings.
  2. From Configuration on the sidebar, select Pipeline Integrations.
  3. Select the Git provider integration, click Edit.
  4. Scroll down and expand YAML Options.

Pipeline restrictions per Git provider

Pipeline restrictions per Git provider
  1. Configure restrictions for Git repositories that can be used for pipeline definitions:
    • Allow only the following repositories: Toggle Manual selection to on, and then select the Git repos, or define a regex according to which to select repos.
    • Allow only the following branches: Select Git repositories by the branches that match the regex. For example, this regex /^((pipeline-definition)$).*/g, allows users to load pipeline YAMLs only from a branch named pipeline-definition in a Git repository.
    • Allow only the following paths: Select Git repositories by folders within the repo that match the glob pattern).

Codefresh installation options
Managing your Kubernetes cluster