OCP Access requirements gathering and RH engagement

NickCorcoran commented 3 years ago

NickCorcoran commented 3 years ago

NickCorcoran commented 3 years ago

Requirements for User provisioning for OpenShift (AG):

Could include inventory of user access management?

Not only one ministry, but also it would be great to see who has which repositories access and what roles within all ministries. (as a platform administrator or security group)
Useful when developer leaves the company – remove from all projects/namespaces
IDIR vs GitHub User ID?

Could have an user search capability?

Could provide easy ‘Add’ and ‘Remove’ capabilities?
Could we view all namespaces that the user has access including other Ministries projects?

Could we make some automated solution?

Could follow core Government policy?

Built in the government process such as including in the ServiceNow or AAR (Account Access Request)
Click approve and it does the provisioning work (dream solution)
Could we have GUI to make the user provisioning easier?
Make audit process – simpler and easier for Platform and security team

Could include history of user /User provisioning

NickCorcoran commented 3 years ago

Related tickets: Custom roles

michaelshire commented 3 years ago

Initial meeting discussion notes

Goals:

40+ applications (160 namespaces? 😯)
Developers may be added to single namespace, or multiple namespaces
Turnover in developers can be high at times
Four roles assigned to users in AG namespaces: -- admin (highest project/namespace level configuration) -- edit (can do most things as admin, but not configure rolebindings) -- devedit (can do most things as edit, but cannot view/CRUD secrets) -- useradmin (cannot do anything but create rolebindings within a namespace)
Currently managed with yaml files, using "oc apply" -- When deleting a user, it's a manual process to search for the username across all files, delete, then apply the changes -- When adding a user, must go into multiple files (for each application they are supporting)
1. Ensure changes to user privilege are auditable events, capturing who approved and when it occurred
2. Ensure all use of user privilege within the clusters are auditable events
3. Avoid additional tools/solutions to be managed by platform team

Additional questions, I may have missed it in Ryan's presentation on October 20th,:

Does AG use ServiceNow or some other ticketing solution?
Does AG on board developers into an IDentity Provider like Active Directory, LDAP, Azure AD, Google IAM, etc?

Options to consider/discuss:

Using ArgoCD and GitHub to manage the rolebinding information and keep it updated. -- Additional benefit of meeting Goal 2 above -- GitOps process including segregation of duties for change and approvals (branch, PR, approve, merge) -- Does not require the person that performs the configuration, nor the person that approves the configuration to have access/privilege to OpenShift! (removes the need for "useradmin" role)
User focused tools to quickly search for user strings across many files and modify -- vscode -- grep/find/sed/awk -- oc cli magic
Investigate open source tools (ex. rbac-tool https://github.com/alcideio/rbac-tool ) for visualizing/reporting user access (improvements to auditing process)
Understand audit log functions of OpenShift for Goal 3 (this one is easy, it's already built in)
Use of Groups to simplify yaml changes (rolebindings are complex to add/remove users, groups are much easier to manipulate)

NickCorcoran commented 3 years ago

BCDevOps / developer-experience