Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update gitops-abac.md #1052

Open
wants to merge 6 commits into
base: master
Choose a base branch
from
Open

Update gitops-abac.md #1052

Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
53396ac
Update gitops-abac.md
NimRegev Aug 27, 2024
878194a
Update gitops-abac.md
NimRegev Aug 27, 2024
b1ff09f
Update gitops-abac.md
NimRegev Aug 27, 2024
59a07ff
Update gitops-abac.md
NimRegev Aug 27, 2024
c088e61
Update gitops-abac.md
NimRegev Aug 27, 2024
5f75384
Update gitops-abac.md
NimRegev Aug 28, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
83 changes: 58 additions & 25 deletions _docs/administration/account-user-management/gitops-abac.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,66 +5,99 @@ toc: true
---

Control access to entities in GitOps through ABAC (Attribute-Based Access Control). ABAC allows fine-grained access to application entities through the use of rules.
For GitOps, you can currently define ABAC for application entities in the Codefresh UI or programmatically via Terraform.
Define ABAC for applications, products, and promotion entities, in the Codefresh UI or programmatically via Terraform.<br>
For more information on ABAC, see [ABAC on Wikipedia](https://en.wikipedia.org/wiki/Attribute-based_access_control){:target="\_blank"}.


Rules define the *who*, *what*, and *where* control access to GitOps applications, through the following elements:
* Teams
Teams control the _who_ part of the rule.
Rules define the *who*, *what*, and *where* to control access through the following elements:
* **Entities**
The entity for which to create the rule.
* **Teams**
Teams control the _who_ part of the rule. See [Adding users and teams]({{site.baseurl}}/docs/administration/account-user-management/add-users/).

* Actions
Actions control the _what_ part of the rule. You need to select at least one action.
* **Actions**
Actions control the _what_ part of the rule. You need to select at least one action per entity.

* Attributes
Attributes control the _where_ part of the rule.
Attributes are a combination of standard Kubernetes and Codefresh-specific attributes. You have Kubernetes attributes such as clusters, namespaces, and labels, and attributes unique to Codefresh such as Runtimes and Git Sources.
* **Attributes**
Attributes control the _where_ part of the rule. They include standard Kubernetes (clusters, namespaces, and labels), and Codefresh-specific attributes(Runtimes and Git Sources). The attributes which are available depend on the selected entity.<br>
Adding attributes, either individually or in combination, allow more fine-grained access control to enforce the _where_ policies for teams and actions. <br>Single attributes are useful to grant or deny access based on a specific property. Combinations of attributes help enforce more complex access control.


## Creating a rule in Codefresh UI
For each rule, you must select or define:
* The team or teams the rule applies to, with at least one team being mandatory
* The action or actions permitted for the entity, with at least one action being mandatory
* The attribute or attributes determining where access is permitted
## Creating a rule for GitOps ABAC in Codefresh UI
For each rule, you must select or define the:
* Entity for which to create the rule
* Team or teams the rule applies to, with at least one team being mandatory
* Action or actions permitted for the entity, with at least one action being mandatory
* Attribute or attributes determining where access is permitted

<br>

**How to**
##### Before you begin
* Review [Entity-based actions & attributes](#entity-based-actions--attributes)

##### How to

1. In the Codefresh UI, on the toolbar, click the **Settings** icon.
1. On the sidebar, from Access & Collaboration, select [**GitOps Permissions**](https://g.codefresh.io/account-admin/permissions/teams){:target="\_blank"}.
1. To create a rule, click **Add** and define the **Teams**, **Actions**, and **Attributes** for the rule.
1. To create a rule, click **Add** and define the following:
* **Entity**: One of the following: {::nomarkdown} <ul><li>GitOps Applications</li><li>Promotion Flows</li><li>Products</li><li>Environments</li></ul>{:/}
* **Team**: The team or teams to which to give access to the selected entity.
* **Actions**: The actions to permit based on those available for the selected entity.
* **Attributes**: One more attributes based on those available for the selected entity.
1. To confirm, click **Add** once again.

{% include
image.html
lightbox="true"
file="/images/administration/access-control/gitops/gitops-add-rule.png"
url="/images/administration/access-control/gitops/gitops-add-rule.png"
alt="Add rule for Argo CD applications"
caption="Add rule for Argo CDapplications"
alt="Add rule for applications"
caption="Add rule for applications"
max-width="50%"
%}

The rule you added for the entity is displayed in the GitOps Permissions page. Edit or delete the rule by clicking the respective icons.

## Creating a rule programmatically via Terraform
## Creating a rule for GitOps ABAC programmatically via Terraform
You can also create rules enforcing ABAC for GitOps via Terraform.
See the documentation for [codefresh_abac_rules](https://registry.terraform.io/providers/codefresh-io/codefresh/latest/docs/resources/abac_rules){:target="\_blank"}.



## Argo CD Applications rule elements
## Entity-based actions & attributes
Actions and attributes available differ for the
### Applications: Actions & Attributes


{: .table .table-bordered .table-hover}
| Applications | Description |
|----------------------------|-----------------------|
|**Actions** | {::nomarkdown}><ul><li><b>Refresh</b>: Allow users to manually regular refresh or hard refresh. The Refresh action is automatically disabled on selecting the Sync action which takes precedence. See <a href="https://codefresh.io/docs/docs/deployments/gitops/manage-application/#refreshhard-refresh-applications">Refresh/Hard Refresh applications</a>.</li><li><b>Sync</b>: Allow users to manually sync an application on-demand, and define the options for manual sync.<br>Selecting Sync automatically disables the Refresh action as Sync takes precedence over it. <br> See <a href="https://codefresh.io/docs/docs/deployments/gitops/manage-application/#manually-synchronize-an-application">Manually synchronize an application</a>.</li><li><b>Terminate Sync</b>: Allow users to manually stop an ongoing sync for an application. See <a href="https://codefresh.io/docs/docs/deployments/gitops/manage-application/#terminate-on-going-application-sync">Terminate on-going application sync</a></li><li><b>Perform application rollback</b>: Allow users to rollback the current release of an application to a previous deployment version or release in Codefresh. See <a href="https://codefresh.io/docs/docs/deployments/gitops/manage-application/#rollback-argo-cd-applications">Rollback Argo CD applications</a>.</li><li><b>View pod logs</b>: Allow users to view logs for pod resources of an application in the Current State tab. <br>See <a href="https://codefresh.io/docs/docs/deployments/gitops/applications-dashboard/#logs-for-application-resources">Logs for application resources</a>.</li><li><b>Pause rollout</b> and <b>Resume rollout</b>: Allow users to pause an ongoing rollout and resume a paused rollout either directly from the Timeline tab of the application, or through the controls in the Rollout Player. <br>See <a href="https://codefresh.io/docs/docs/deployments/gitops/manage-application/#pauseresume-ongoing-rollouts">Pause/resume ongoing rollouts</a> and <a href="https://codefresh.io/docs/docs/deployments/gitops/manage-application/#manage-an-ongoing-rollout-with-the-rollout-player">Managing an ongoing rollout with the Rollout Player</a>.</li><li><b>Promote full rollout</b>: Allow users to use the Promote Full button in the Rollout Player to skip the remaining steps in the rollout and promote to deployment. See <a href="https://codefresh.io/docs/docs/deployments/gitops/manage-application/#manage-an-ongoing-rollout-with-the-rollout-player">Managing an ongoing rollout with the Rollout Player</a>.</li><li><b>Skip current step in rollout</b>: Allow users to use the Skip Step button in the Rollout Player to skip executing the current step in the rollout. <br>See <a href="https://codefresh.io/docs/docs/deployments/gitops/manage-application/#manage-an-ongoing-rollout-with-the-rollout-player">Managing an ongoing rollout with the Rollout Player</a>.</li><b>Delete resource</b>: Allow users to delete an application resource from the Current State tab. See <a href="https://codefresh.io/docs/docs/deployments/gitops/manage-application/#delete-an-application">Delete an application</a>.</li></ul>{:/} |
|**Attributes** |Allow access to application entities on a cluster or within a namespace through a single attribute or a combination of attributes.<br>You can also add multiple instances of the same attribute with different values. {::nomarkdown} <ul><li><b>Cluster</b>: Allow access to all application entities in the cluster, regardless of the namespace, Runtime, and Git Sources of specific applications.</li><li><b>Namespace</b>: Allow access to application entities only within the namespace. If users have multiple accounts on different clusters with the same namespace, they can access applications in all those namespaces.</li><li><b>Runtime</b>: Allow access to application entities associated with the defined Runtime.</li><li><b>Git Source</b>: Allow access to application entities only in the defined Git Source. A Git Source is always associated with a Runtime.</li><li><b>Label</b>: Allow access only to application entities that share the same label. For example, add multiple Label attributes with different values to sync application entities.</li></ul>{:/} |

## Environments: Actions & attributes

{: .table .table-bordered .table-hover}
| Rule Element | Description |
| -------------- | -------------- |
|Teams | The team or teams to which to give access to the Application Entity. See [Adding users and teams]({{site.baseurl}}/docs/administration/account-user-management/add-users/).|
|Actions | The actions permitted for the application entity, and can be any or all of the following: {::nomarkdown} <ul><li><b>Refresh</b>: Allow users to manually regular refresh or hard refresh. The Refresh action is automatically disabled on selecting the Sync action which takes precedence. See <a href="https://codefresh.io/docs/docs/deployments/gitops/manage-application/#refreshhard-refresh-applications">Refresh/Hard Refresh applications</a>.</li><li><b>Sync</b>: Allow users to manually sync an application on-demand, and define the options for manual sync.<br>Selecting Sync automatically disables the Refresh action as Sync takes precedence over it. <br> See <a href="https://codefresh.io/docs/docs/deployments/gitops/manage-application/#manually-synchronize-an-application">Manually synchronize an application</a>.</li><li><b>Terminate Sync</b>: Allow users to manually stop an ongoing sync for an application. See <a href="https://codefresh.io/docs/docs/deployments/gitops/manage-application/#terminate-on-going-application-sync">Terminate on-going application sync</a></li><li><b>Perform application rollback</b>: Allow users to rollback the current release of an application to a previous deployment version or release in Codefresh. See <a href="https://codefresh.io/docs/docs/deployments/gitops/manage-application/#rollback-argo-cd-applications">Rollback Argo CD applications</a>.</li><li><b>View pod logs</b>: Allow users to view logs for pod resources of an application in the Current State tab. <br>See <a href="https://codefresh.io/docs/docs/deployments/gitops/applications-dashboard/#logs-for-application-resources">Logs for application resources</a>.</li><b>Pause rollout</b> and <b>Resume rollout</b>: Allow users to pause an ongoing rollout and resume a paused rollout either directly from the Timeline tab of the application, or through the controls in the Rollout Player. <br>See <a href="https://codefresh.io/docs/docs/deployments/gitops/manage-application/#pauseresume-ongoing-rollouts">Pause/resume ongoing rollouts</a> and <a href="https://codefresh.io/docs/docs/deployments/gitops/manage-application/#manage-an-ongoing-rollout-with-the-rollout-player">Managing an ongoing rollout with the Rollout Player</a>.</li><li><b>Promote full rollout</b>: Allow users to use the Promote Full button in the Rollout Player to skip the remaining steps in the rollout and promote to deployment. See <a href="https://codefresh.io/docs/docs/deployments/gitops/manage-application/#manage-an-ongoing-rollout-with-the-rollout-player">Managing an ongoing rollout with the Rollout Player</a>.</li><li><b>Skip current step in rollout</b>: Allow users to use the Skip Step button in the Rollout Player to skip executing the current step in the rollout. <br>See <a href="https://codefresh.io/docs/docs/deployments/gitops/manage-application/#manage-an-ongoing-rollout-with-the-rollout-player">Managing an ongoing rollout with the Rollout Player</a>.</li><b>Delete resource</b>: Allow users to delete an application resource from the Current State tab. See <a href="https://codefresh.io/docs/docs/deployments/gitops/manage-application/#delete-an-application">Delete an application</a>.</li></ul>{:/} |
|Attributes |Adding attributes, either individually or in combination, allow more fine-grained access control to enforce the _where_ policies for teams and actions. <br>Single attributes are useful to grant or deny access based on a specific property. For example, allow access to application entities on a cluster or within a namespace. <br>Combinations of attributes help enforce more complex access control. For example, require both a Runtime and a Label attribute to grant access to an application entity.<br>You can also add multiple instances of the same attribute with different values. For example, multiple Label attibutes with different values to sync application entities.{::nomarkdown} <ul><li><b>Cluster</b>: Allow access to all application entities in the cluster, regardless of the namespace, Runtime, and Git Sources of specific applications.</li><li><b>Namespace</b>: Allow access to application entities only within the namespace. If users have multiple accounts on different clusters with the same namespace, they can access applications in all those namespaces.</li><li><b>Runtime</b>: Allow access to application entities associated with the defined Runtime.</li><li><b>Git Source</b>: Allow access to application entities only in the defined Git Source. A Git Source is always associated with a Runtime.</li><li><b>Label</b>: Allow access only to application entities that share the same label.</li></ul>{:/} |
| Environments | Description |
|----------------------------|-----------------------|
| **Actions** |**Promote to this environment**: {::nomarkdown}<ul><li>Allow users to manually trigger a promotion from within a Promotion Flow. See <a href="https://codefresh.io/docs/docs/deployments/gitops/manage-application/#refreshhard-refresh-applications">Trigger a promotion????</a>.</li><li>Allow users to manually promote an application to the desired environment through a Promotion Flow. See <a href="https://codefresh.io/docs/docs/deployments/gitops/manage-application/#refreshhard-refresh-applications">Promote an application????</a>.</li><li>Allow users to drag-and-drop application from one environment to another and trigger promotion. See <a href="https://codefresh.io/docs/docs/deployments/gitops/manage-application/#refreshhard-refresh-applications">Trigger a promotion????</a>.</li></ul>{:/} |
|**Attributes** |{::nomarkdown} <ul><li><b>Environment_Name</b>: Allow users to promote to all environments that match the name or names. For example, allows users in team `Dev` to promote to `dev` and `staging` environments only.</li><li><b>Environment_Kind</b>: Allow users to promote to only the specified type of environment, either `production` or `non-production`. </li></ul>{:/} |

## Products: Actions & attributes

{: .table .table-bordered .table-hover}
| Products | Description |
|----------------------------|-----------------------|
|**Actions** |{::nomarkdown}<ul><li><b>Trigger promotion</b>: Allow users to manually trigger a promotion from within a Promotion Flow. See <a href="https://codefresh.io/docs/docs/deployments/gitops/manage-application/#refreshhard-refresh-applications">Trigger a promotion????</a>.</li><li><b>Retry failed release</b>: Allow users to restart a failed release from the point of failure. See <a href="https://codefresh.io/docs/docs/deployments/gitops/manage-application/#refreshhard-refresh-applications">Retry failed releases???</a>.</li></ul>{:/} |
|**Attributes** |{::nomarkdown} <ul><li><b>Label</b>: Allow users to trigger promotions or to retry failed releases only for products that match the specified labels. For example, allow users in team `Dev` to promote products with the label ???. See <a href=" ">Configuring labels in Product Settings</a> </li><li><b>Product_Name</b>: Allow users to trigger promotions or to retry failed releases only for products that match the specified names. For example, allow users in team `Dev` to promote products with the label ???. </li></ul>{:/} |

## Promotion Flows: Actions & attributes

{: .table .table-bordered .table-hover}
| Promotion Flows | Description |
|----------------------------|-----------------------|
|**Actions** | **Trigger promotion flow**: Allow users to manually trigger a promotion from within a Promotion Flow. See[TBD]Trigger a promotion????|
|**Attributes** | **Label**: Allow users to trigger promotions for Promotion Flows that match the specified label ???. |


## Examples of rules for application entities
Expand Down