Access control for GitOps

Restrict access to GitOps entities through ABAC

Control access to entities in GitOps through ABAC (Attribute-Based Access Control). ABAC allows fine-grained access to application entities through the use of rules.
Define ABAC for applications, products, and promotion entities, in the Codefresh UI or programmatically via Terraform.
For more information on ABAC, see ABAC on Wikipedia.

Rules define the who, what, and where to control access through the following elements:

  • Entities
    The entity for which to create the rule.
  • Teams
    Teams control the who part of the rule. See Adding users and teams.

  • Actions
    Actions control the what part of the rule. You need to select at least one action per entity. Available actions differ based on the selected entity.

  • Attributes
    Attributes control the where part of the rule. They include standard Kubernetes (clusters, namespaces, and labels), and Codefresh-specific attributes(Runtimes and Git Sources). The attributes which are available depend on the selected entity.
    Adding attributes, either individually or in combination, allow more fine-grained access control to enforce the where policies for teams and actions.
    Single attributes are useful to grant or deny access based on a specific property. Combinations of attributes help enforce more complex access control.

Create an access rule for GitOps entities via Codefresh UI

For each rule, you must select or define the:

  • Entity for which to create the rule
  • Team or teams the rule applies to, with at least one team being mandatory
  • Action or actions permitted for the entity, with at least one action being mandatory
  • Attribute or attributes determining where access is permitted


Before you begin
How to
  1. In the Codefresh UI, on the toolbar, click the Settings icon.
  2. On the sidebar, from Access & Collaboration, select GitOps Permissions.
  3. To create a rule, click Add and define the following:
    • Entity: One of the following:
      • GitOps Applications
      • Promotion Flows
      • Products
      • Environments
    • Team: The team or teams to which to give access to the selected entity.
    • Actions: The actions to permit based on those available for the selected entity.
    • Attributes: One more attributes based on those available for the selected entity.
  4. To confirm, click Add once again.

Add rule for application entities

Add rule for application entities

The rule you added for the entity is displayed in the GitOps Permissions page. Edit or delete the rule by clicking the respective icons.

Create an access rule for GitOps entities programmatically via Terraform

You can also create rules enforcing ABAC for GitOps via Terraform. See the documentation for codefresh_abac_rules.

Applications

Applications: Actions & Attributes

Applications Description
Actions
Attributes Allow access to application entities on a cluster or within a namespace through a single attribute or a combination of attributes.
You can also add multiple instances of the same attribute with different values.
  • Cluster: Allow access to all application entities in the cluster, regardless of the namespace, Runtime, and Git Sources of specific applications.
  • Namespace: Allow access to application entities only within the namespace. If users have multiple accounts on different clusters with the same namespace, they can access applications in all those namespaces.
  • Runtime: Allow access to application entities associated with the defined Runtime.
  • Git Source: Allow access to application entities only in the defined Git Source. A Git Source is always associated with a Runtime.
  • Label: Allow access only to application entities that share the same label. For example, add multiple Label attributes with different values to sync application entities.

Examples of rules for application entities

Rule: Cluster-based access to all actions

This rule grants the DevOps team permission to perform all actions for application entities on the production cluster, regardless of namespaces, Runtimes, Git Sources, and labels.

Rule elements

  • Team: DevOps
  • Actions: All
  • Attributes: Cluster: production-cluster

Rule: Cluster- and namespace-based access to all actions

This rule grants two different teams permissions to perform all actions for application entities deployed on a specific cluster but within a specific namespace.

Rule elements

  • Teams: Product, Docs
  • Actions: All
  • Attributes:
    • Cluster: development
    • Namespace: product-sandbox

Rule: Namespace- and label-based access to specific actions

This rule grants the Support team permission to manually sync application entities or manually terminate on-going syncs for application entities deployed in a specific namespace, but only for those entities that share the same label.

Rule elements

  • Team: Customer Support
  • Actions: Sync, Terminate Sync
  • Attributes:
    • Namespace: poc
    • Label: customer=AcmePoc

Environments

Environments: Actions & attributes

Environments Description
Actions Promote to this environment: Allows the following actions:
Attributes
  • Environment Name: Allow users to promote to all environments that match the name or names. For example, allows users in team Dev to promote to dev and staging environments only.
  • Environment Kind: Allow users to promote to only the specified type of environment, either production or non-production.

Examples of rules for environment entities

Rule: Restrict manual promotions by environment type

This rule restricts manual promotion privileges in production environments minimizing the risk of unauthorized promotions in sensitive environments.

Rule elements

  • Team: DevOps
  • Attributes:
    • ENVIRONMENT_KIND: Production

Rule: Restrict manual promotions to specific environments

This rule restricts manual promotion privileges to specific environments, for example, testing environments, for controlled testing.

Rule elements

  • Team: Qa, DevOps
  • Attributes:
    • ENVIRONMENT_NAME: staging, integration

Rule: Restrict manual promotions to specific pre-prod environments

This rule grants broader manual promotion privileges to specific non-production environments.

Rule elements

  • Team: Dev, Qa,
  • Attributes:
    • ENVIRONMENT_KIND: Non-production
    • ENVIRONMENT_NAME: dev, testing, pre-prod

Products

Products: Actions & attributes

Products Description
Actions
Attributes
  • Label: Allow users to trigger promotions or to retry failed releases only for products that match the specified labels. For example, allow users in team DevOps to promote products with the label hotfix. See Configuring labels in Product Settings
  • Product Name: Allow users to trigger promotions or to retry failed releases only for products that match the specified names. For example, allow users in team Dev to promote products with the name Marvel.

Examples of rules for product entities

Rule: Trigger promotions and retry releases for products by labels

This rule grants manual promotion and retry release privileges for all products with the specified label to all teams. For example, test and try product deployment to non-customer-facing environments.

Rule elements

  • Team: Dev, Qa, Product, Apollo
  • Actions: Trigger promotion, Retry release
  • Attributes:
    • LABEL: internal-use-only

Rule: Trigger promotions by specific products

This rule grants manual promotion and retry release privileges for all products with the specified label to all teams. For example, test and try product deployment to non-customer-facing environments.

Rule elements

  • Team: Dev, Qa, Product, Apollo
  • Actions: Trigger promotion, Retry release
  • Attributes:
    • LABEL: internal-use-only

Rule: Trigger promotions by labels & specific products

This rule grants manual promotion and retry release privileges for all products to fast-track promotions and deployments for critical issue resolution.

Rule elements

  • Team: DevOps
  • Actions: Trigger promotion, Retry release
  • Attributes:
    • LABEL: hotfix

Rule: Trigger promotions by specific products

This rule grants manual promotion privileges to specific products that match a specific state in their development and deployment lifecycle, or any other requirement.

Rule elements

  • Team: DevOps
  • Actions: Trigger promotion
  • Attributes:
    • PRODUCT_NAME: promotions-beta, multi-region-deploy

Promotion Flows

Promotion Flows: Actions & attributes

Promotion Flows Description
Actions Trigger promotion flow: Allow users to manually trigger a Promotion Flow. See Manually trigger a Promotion Flow.</li>
Attributes Label: Allow users to trigger promotions for Promotion Flows that match the specified label in the YAML manifest.

Codefresh Provider for Terraform