kubeflow / notebooks

Kubeflow Notebooks lets you run web-based development environments on your Kubernetes cluster by running them inside Pods.
Apache License 2.0
18 stars 11 forks source link

Set workflows to run with read-only permissions #80

Open pnacht opened 1 year ago

pnacht commented 1 year ago

/kind feature

Why you need this feature:

Kubeflow's workflows are running with write-all permissions. This puts the project at risk of supply-chain attacks.

I took a look at all the workflows and none of them seem to require significant permissions.

Describe the solution you'd like:

There are two solutions:

I'll send a PR setting top-level permissions for all workflows. If you also/instead want to change the default token:

  1. Open the repo settings
  2. Go to Actions > General
  3. Under "Workflow permissions", set them to "Read repository contents and packages permissions"

Anything else you would like to add:

My name is Pedro and I work with Google and the Open Source Security Foundation (OpenSSF) to improve the supply-chain security of the open-source ecosystem.

google-oss-prow[bot] commented 5 months ago

@juliusvonkohout: Closing this issue.

In response to [this](https://github.com/kubeflow/notebooks/issues/80): >/close > >wrong repository, use kubeflow/pipelines instead Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes-sigs/prow](https://github.com/kubernetes-sigs/prow/issues/new?title=Prow%20issue:) repository.
juliusvonkohout commented 5 months ago

/reopen

since it is about github actions, not kubeflow pipelines

google-oss-prow[bot] commented 5 months ago

@juliusvonkohout: Reopened this issue.

In response to [this](https://github.com/kubeflow/notebooks/issues/80): >/reopen > >since it is about github actions, not kubeflow pipelines Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes-sigs/prow](https://github.com/kubernetes-sigs/prow/issues/new?title=Prow%20issue:) repository.
andreyvelich commented 2 days ago

/transfer notebooks

google-oss-prow[bot] commented 2 days ago

@pnacht: The label(s) kind/feature cannot be applied, because the repository doesn't have them.

In response to [this](https://github.com/kubeflow/notebooks/issues/80): >/kind feature > >**Why you need this feature:** > >Kubeflow's workflows are running with write-all permissions. This puts the project at risk of supply-chain attacks. > >I took a look at all the workflows and none of them seem to require significant permissions. > >**Describe the solution you'd like:** > >There are two solutions: >- all the workflows can be set with read-only top-level permissions; and/or >- the default workflow token can be set to read-only > >I'll send a PR setting top-level permissions for all workflows. If you also/instead want to change the default token: > >1. Open the repo settings >2. Go to [Actions > General](https://github.com/kubeflow/kubeflow/settings/actions) >3. Under "Workflow permissions", set them to "Read repository contents and packages permissions" > > >**Anything else you would like to add:** > >My name is Pedro and I work with Google and the [Open Source Security Foundation (OpenSSF)](https://www.openssf.org/) to improve the supply-chain security of the open-source ecosystem. Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.