utkuozdemir
commented
2 weeks ago Maybe only the Admin should be able to do that, as it bypasses the user management system. Any specific reason to pick Operator?
Closed Unix4ever closed 2 weeks ago
utkuozdemir
commented
2 weeks ago Maybe only the Admin should be able to do that, as it bypasses the user management system. Any specific reason to pick Operator?
Unix4ever
commented
2 weeks ago Maybe only the Admin should be able to do that, as it bypasses the user management system. Any specific reason to pick Operator?
Only Admin can do that, I've updated that check in the API.
We pick Operator to give the same access level as Omni would provide, except you can talk to the nodes directly.
andrewrynhard
commented
2 weeks ago The only thing I would add would be that “tainted” is a pretty broad term and as a user I would want to know why it is “tainted”. I can’t think of a better descriptive name at the moment. Especially with the meaning of tainted in Kubernetes being different than what we mean here.
It also feels like there is some overlap in what we mean by admin here. We have admin roles but this kubeconfig/talosconfig is different from those roles. I think “emergency” better describes the intent of this feature and separates things clearly.
Unix4ever
commented
2 weeks ago The only thing I would add would be that “tainted” is a pretty broad term and as a user I would want to know why it is “tainted”. I can’t think of a better descriptive name at the moment. Especially with the meaning of tainted in Kubernetes being different than what we mean here.
It also feels like there is some overlap in what we mean by admin here. We have admin roles but this kubeconfig/talosconfig is different from those roles. I think “emergency” better describes the intent of this feature and separates things clearly.
Tainted in the sense that we can no longer guarantee secrets protection. You grabbed admin config, if you break your cluster or if you forget to rotate the secrets and it leaks it's your fault.
Unix4ever
commented
2 weeks ago The name of the resource isn't that important, it's more for our internal usage right now. And if we decide to show the UI, we can give a broad explanation there.
Unix4ever
commented
2 weeks ago /m
Fixes: https://github.com/siderolabs/omni/issues/33
It is now possible to get full access
kubeconfigandtalosconfig(operator role), if the Omni instance hasenable-break-glass-configsflag enabled.They can be downloaded using cli commands:
omnictl kubeconfig --break-glass --cluster <name>omnictl talosconfig --break-glass --cluster <name>After you download the config the cluster will be marked with
omni.sidero.dev/taintedannotation to keep in mind that this cluster has weaker security and might need to get secrets rotation in the future.