docs: proposal for instance based plugin management

[theSuess]

Addresses concerns raised in #1572

[siegenthalerroger]

Hi, I'm not sure how to integrate my points into the concrete proposal rn but I have some feedback.

• I think it's correct to be able to add plugins on the Dashboard and Datasource CRs. This should not be removed, but made configurable IMO.
• There's a different level of security risk depending on whether the plugins are coming from the Grafana "store", some URL and whether or not they are signed.
• I think there should be a Grafana CR configuration of what plugins can be installed on the Dashboard and Datasource CRs (independently, e.g. allowing arbitrary URLs but signed plugins on Datasources but none at all on Dashboards).
• It should be possible to define arbitrary plugins on the Grafana CR regardless of what is set for the datasources/dashboards.

I think this approach would find a good balance between what could be expected of the Grafana-Operator and what would be more well suited to a policy-engine that intercepts the Dashboard/Datasource CRs. Particularly allowing/disallowing plugins for Datasources vs Dashboards would pretty much have our "dream" security system purely with Grafana-Operator and k8s RBAC with no OPA or anything additional

[NissesSenap]

@siegenthalerroger could you write a proposal how you think that a grafana that solves:

"I think there should be a Grafana CR configuration of what plugins can be installed on the Dashboard and Datasource CRs (independently, e.g. allowing arbitrary URLs but signed plugins on Datasources but none at all on Dashboards)."

Would look like? To me, it sounds like a big risk of making things really complex.

I agree with your first point, I don't think we should remove plugins from datasources and dashboards. I think it plays really well with having a platform team providing a grafana instance, and they are the ones setting it up. But your developers should have the possibility to create dashboards/datasources that needs plugins without asking the "platform team" to do it. Something something self serve.

But I can also see how this is an issue, that the developers can add plugins which forces a restart of the grafana instance, so I think it sounds like a good midground, being able to disable the feature all together and only control it through the grafana instance.

[github-actions[bot]]

This PR hasn't been updated for a while, marking as stale

[NissesSenap]

Bump

[github-actions[bot]]

This PR hasn't been updated for a while, marking as stale