Access control for GitOps
Restrict access to GitOps entities through ABAC
Control access to entities in GitOps through ABAC (Attribute-Based Access Control). ABAC allows fine-grained access to application entities through the use of rules.
Define ABAC for applications, products, and promotion entities, in the Codefresh UI or programmatically via Terraform.
For more information on ABAC, see ABAC on Wikipedia.
Rules define the who, what, and where to control access through the following elements:
- Entities
The entity for which to create the rule. -
Teams
Teams control the who part of the rule. See Adding users and teams. -
Actions
Actions control the what part of the rule. You need to select at least one action per entity. Available actions differ based on the selected entity. - Attributes
Attributes control the where part of the rule. They include standard Kubernetes (clusters, namespaces, and labels), and Codefresh-specific attributes(Runtimes and Git Sources). The attributes which are available depend on the selected entity.
Adding attributes, either individually or in combination, allow more fine-grained access control to enforce the where policies for teams and actions.
Single attributes are useful to grant or deny access based on a specific property. Combinations of attributes help enforce more complex access control.
Create an access rule for GitOps entities via Codefresh UI
For each rule, you must select or define the:
- Entity for which to create the rule
- Team or teams the rule applies to, with at least one team being mandatory
- Action or actions permitted for the entity, with at least one action being mandatory
- Attribute or attributes determining where access is permitted
Before you begin
- Review:
How to
- In the Codefresh UI, on the toolbar, click the Settings icon.
- On the sidebar, from Access & Collaboration, select GitOps Permissions.
- To create a rule, click Add and define the following:
- Entity: One of the following:
- GitOps Applications
- Promotion Flows
- Products
- Environments
- Team: The team or teams to which to give access to the selected entity.
- Actions: The actions to permit based on those available for the selected entity.
- Attributes: One more attributes based on those available for the selected entity.
- Entity: One of the following:
- To confirm, click Add once again.
The rule you added for the entity is displayed in the GitOps Permissions page. Edit or delete the rule by clicking the respective icons.
Create an access rule for GitOps entities programmatically via Terraform
You can also create rules enforcing ABAC for GitOps via Terraform. See the documentation for codefresh_abac_rules.
Applications
Applications: Actions & Attributes
Applications | Description |
---|---|
Actions |
|
Attributes | Allow access to application entities on a cluster or within a namespace through a single attribute or a combination of attributes. You can also add multiple instances of the same attribute with different values.
|
Examples of rules for application entities
Rule: Cluster-based access to all actions
This rule grants the DevOps team permission to perform all actions for application entities on the production cluster, regardless of namespaces, Runtimes, Git Sources, and labels.
Rule elements
- Team:
DevOps
- Actions:
All
- Attributes:
Cluster: production-cluster
Rule: Cluster- and namespace-based access to all actions
This rule grants two different teams permissions to perform all actions for application entities deployed on a specific cluster but within a specific namespace.
Rule elements
- Teams:
Product
,Docs
- Actions:
All
- Attributes:
Cluster: development
Namespace: product-sandbox
Rule: Namespace- and label-based access to specific actions
This rule grants the Support team permission to manually sync application entities or manually terminate on-going syncs for application entities deployed in a specific namespace, but only for those entities that share the same label.
Rule elements
- Team:
Customer Support
- Actions:
Sync
,Terminate Sync
- Attributes:
Namespace: poc
Label: customer=AcmePoc
Environments
Environments: Actions & attributes
Environments | Description |
---|---|
Actions | Promote to this environment: Allows the following actions:
|
Attributes |
|
Examples of rules for environment entities
Rule: Restrict manual promotions by environment type
This rule restricts manual promotion privileges in production environments minimizing the risk of unauthorized promotions in sensitive environments.
Rule elements
- Team:
DevOps
- Attributes:
ENVIRONMENT_KIND: Production
Rule: Restrict manual promotions to specific environments
This rule restricts manual promotion privileges to specific environments, for example, testing environments, for controlled testing.
Rule elements
- Team:
Qa
,DevOps
- Attributes:
ENVIRONMENT_NAME
:staging
,integration
Rule: Restrict manual promotions to specific pre-prod environments
This rule grants broader manual promotion privileges to specific non-production environments.
Rule elements
- Team:
Dev
,Qa
, - Attributes:
ENVIRONMENT_KIND
:Non-production
ENVIRONMENT_NAME
:dev
,testing
,pre-prod
Products
Products: Actions & attributes
Products | Description |
---|---|
Actions |
|
Attributes |
|
Examples of rules for product entities
Rule: Trigger promotions and retry releases for products by labels
This rule grants manual promotion and retry release privileges for all products with the specified label to all teams. For example, test and try product deployment to non-customer-facing environments.
Rule elements
- Team:
Dev
,Qa
,Product
,Apollo
- Actions:
Trigger promotion
,Retry release
- Attributes:
LABEL
:internal-use-only
Rule: Trigger promotions by specific products
This rule grants manual promotion and retry release privileges for all products with the specified label to all teams. For example, test and try product deployment to non-customer-facing environments.
Rule elements
- Team:
Dev
,Qa
,Product
,Apollo
- Actions:
Trigger promotion
,Retry release
- Attributes:
LABEL
:internal-use-only
Rule: Trigger promotions by labels & specific products
This rule grants manual promotion and retry release privileges for all products to fast-track promotions and deployments for critical issue resolution.
Rule elements
- Team:
DevOps
- Actions:
Trigger promotion
,Retry release
- Attributes:
LABEL
:hotfix
Rule: Trigger promotions by specific products
This rule grants manual promotion privileges to specific products that match a specific state in their development and deployment lifecycle, or any other requirement.
Rule elements
- Team:
DevOps
- Actions:
Trigger promotion
- Attributes:
PRODUCT_NAME
:promotions-beta
,multi-region-deploy
Promotion Flows
Promotion Flows: Actions & attributes
Promotion Flows | Description |
---|---|
Actions | Trigger promotion flow: Allow users to manually trigger a Promotion Flow. See Manually trigger a Promotion Flow.</li> |
Attributes | Label: Allow users to trigger promotions for Promotion Flows that match the specified label in the YAML manifest. |