Closed Unix4ever closed 2 weeks ago
Maybe only the Admin
should be able to do that, as it bypasses the user management system. Any specific reason to pick Operator
?
Maybe only the Admin should be able to do that, as it bypasses the user management system. Any specific reason to pick Operator?
Only Admin can do that, I've updated that check in the API.
We pick Operator to give the same access level as Omni would provide, except you can talk to the nodes directly.
The only thing I would add would be that “tainted” is a pretty broad term and as a user I would want to know why it is “tainted”. I can’t think of a better descriptive name at the moment. Especially with the meaning of tainted in Kubernetes being different than what we mean here.
It also feels like there is some overlap in what we mean by admin here. We have admin roles but this kubeconfig/talosconfig is different from those roles. I think “emergency” better describes the intent of this feature and separates things clearly.
The only thing I would add would be that “tainted” is a pretty broad term and as a user I would want to know why it is “tainted”. I can’t think of a better descriptive name at the moment. Especially with the meaning of tainted in Kubernetes being different than what we mean here.
It also feels like there is some overlap in what we mean by admin here. We have admin roles but this kubeconfig/talosconfig is different from those roles. I think “emergency” better describes the intent of this feature and separates things clearly.
Tainted in the sense that we can no longer guarantee secrets protection. You grabbed admin config, if you break your cluster or if you forget to rotate the secrets and it leaks it's your fault.
The name of the resource isn't that important, it's more for our internal usage right now. And if we decide to show the UI, we can give a broad explanation there.
/m
Fixes: https://github.com/siderolabs/omni/issues/33
It is now possible to get full access
kubeconfig
andtalosconfig
(operator role), if the Omni instance hasenable-break-glass-configs
flag enabled.They can be downloaded using cli commands:
omnictl kubeconfig --break-glass --cluster <name>
omnictl talosconfig --break-glass --cluster <name>
After you download the config the cluster will be marked with
omni.sidero.dev/tainted
annotation to keep in mind that this cluster has weaker security and might need to get secrets rotation in the future.