Configuring access control
Restrict resources in a company environment
Codefresh provides several complementary ways for access control within an organization:
-
Role-based access: Role-based access, restricts access to parts of the Codefresh UI intended for account administrators. For example, only an account administrator should be able to change integrations with git providers and cloud services.
-
Attribute-based access control (ABAC): Policy-based access control via attributes (ABAC), restricts access to Add Kubernetes clusters with policy attributes. This option allows account administrators to define exactly which teams have access to which clusters and pipelines. For example, you can grant access to production clusters only to a subset of trusted developers/operators. On the other hand, access to a QA/staging cluster can be less strict.
-
Git-repository access: Restrict the Git repositories used to load pipeline definitions.
Role-based access for users and administrators
Role-based access, as either a user or an administrator, is usually defined when you add users to Codefresh accounts.
To add users and assign or change user roles, you must be an administrator yourself.
The table below lists the functionality available for role-based access.
| Functionality | Available for Role |
|---|---|
| Run pipelines | User and Admin |
| View Docker images | User and Admin |
| Inspect text reports | User and Admin |
| Git Integrations | Admin |
| External Docker registry settings | Admin |
| External Helm repositories | Admin |
| Cloud provider settings | Admin |
| Cloud storage settings | Admin |
| Shared configuration | Admin |
| API token generation | Admin |
| SSO Settings | Admin |
| Runtime environment selection | Admin |
| Slack settings | Admin |
| Audit logs | Admin |
| ABAC for Kubernetes clusters | Admin |
| Billing and charging | Admin |
ABAC access control for Kubernetes clusters and pipelines
ABAC (Attribute-Based Access Control), allows fine-grained access to Kubernetes clusters and pipelines. See (ABAC.
ABAC access control includes:
- Assigning custom attributes to your Kubernetes clusters
- Assiging custom attributes to your pipelines
- Defining rules as policies using teams, clusters, and attributes (who, what, where)
Add Kubernetes clusters with policy attributes
After adding Kubernetes clusters, you can configure clusters with multiple tags.
Tag names are arbitrary, and can be anything you choose that matches your company process. You can tag your clusters with product names, software lifecycle phases, department names, or name that helps your security policies.
You can assign multiple tags to each cluster, making it easy to define multiple policies on the same cluster. For example, per project and per team.
Before you begin
- If needed, add a Kubernetes cluster
How to
- Expand the provider under which you added the cluster.
- Mouse over the cluster to which to add tags or attributes, and then click Edit tags on the right. The Tags page displays existing tags if any, and allows you to add multiple tags for a single cluster.
- Click Add and type in the tag.
- Continue to add tags and when finished, click Save.
By default, all clusters, with and without tags, are displayed and can be edited by all users (but not deleted). As soon as you add at least one tag to a cluster, the cluster is only accessible to users with the required policy rules (explained in the next sections).
Configure pipelines with policy attributes
Similar to Kubernetes clusters, you can also add tags to specific pipelines.
Before you begin
- If needed, create a pipeline
How to
- In the Codefresh UI, from Pipelines in the sidebar, select Pipelines.
- In the row with the target pipline, click the context menu for the pipeline, and then select Edit tags.
- Type in the new tag, press Enter, and continue to add the tags you need.
- When finished, click Save.
Define rules for access control
Define security rules using the who, what, where pattern to control access to clusters and pipelines by departments, projects, roles etc.
For each rule you define, select:
- The team the rule applies to
- Cluster privileges (Create/delete/read/update) or pipeline privileges (Create/delete/read/run/update)
- Effective tags
Before you begin
- Make sure you have created at least one team
How to
- In the Codefresh UI, on the toolbar, click the Settings icon and then select Account Settings.
- On the sidebar, from Access & Collaboration, select Permissions.
- For each entity, do the following to define a rule:
- Select the team to which assign the rule.
- Select the permissions to assign to the team for that entity.
- Select either all clusters with tags (All tags) or all clusters that are untagged (Without tags).
Description of privileges
For clusters:
Create: cluster creation requires someone to be account administrator anyway so currently this permission isn’t really necessary .Read- can only see existing allowed clusters without any ability to change them.Update- can see and edit existing allowed cluster resources (which means also perform installation, removal and rollbacks of Helm charts). Tags are managed from account settings, so this permission doesn’t apply to it currently.Delete- cluster removal requires someone to be account administrator anyway so currently this permission isn’t really necessary.
For pipelines:
Create- can only create new pipelines, not see, edit (which includes tagging them) or delete them. This permission should also go hand in hand with additional permissions like read/edit untagged pipelines.Read- view allowed pipelines only.Update- see and edit allowed pipelines only (including tagging them).Delete- can delete allowed pipelines only.Run- can run allowed pipelines only.Approve- resume pipelines that are waiting for manual approval.Debug- allow the usage of the pipeline debugger.
Git-repository access restrictions
By default, users can load pipeline definitions when creating a pipeline, from the inline editor, or any private or public Git repository.
You can change the default behavior to restrict loading pipeline definitions from specific Git repositories or completely disable loading the definitions from all Git repositories.
Enable/disable access to pipeline YAMLs by source
Enable or disable access to pipeline definition YAMLs based on the source of the YAML. These global settings are effective for all pipelines in the account and enables or disables that method of pipeline creation from the Codefresh UI. pipeline definitions from:
- The inline editor in the Codefresh UI: Disabling the inline editor for example, disables new and all existing pipelines with pipeline definitions defined in the Codefresh editor. The Run button is disabled for all such piplines.
- Any Git repository connected to Codefresh
- Any public URL
- In the Codefresh UI, on the toolbar, click the Settings icon and then select Account Settings.
- From Configuration on the sidebar, select Pipeline Settings.
- Turn on or off the options as needed.
Define access to Git repositories for pipeline YAMLs
If access to pipeline definitions are enabled for Git repositories, you can configure fine-grained restrictions through the integrations settings for your Git provider.
- In the Codefresh UI, on the toolbar, click the Settings icon and then select Account Settings.
- From Configuration on the sidebar, select Pipeline Integrations.
- Select the Git provider integration, click Edit.
- Scroll down and expand YAML Options.
- Configure restrictions for Git repositories that can be used for pipeline definitions:
- Allow only the following repositories: Toggle Manual selection to on, and then select the Git repos, or define a regex according to which to select repos.
- Allow only the following branches: Select Git repositories by the branches that match the regex. For example, this regex
/^((pipeline-definition)$).*/g, allows users to load pipeline YAMLs only from a branch namedpipeline-definitionin a Git repository. - Allow only the following paths: Select Git repositories by folders within the repo that match the glob pattern).
Related articles
Codefresh installation options
Managing your Kubernetes cluster