Scope of pubsub subscriptions [solved]


#1

Our Spinnaker instance (version 1.8.5) manages many applications. And each of them has their own GCR. Users of Spinnaker should be able to see only those registries that they have access to. For docker provider accounts it’s easily achievable via parameter --required-group-membership. A good side effect of it is the fact that users are able to see in UI only those accounts that they have access to.

We are thinking about replacing pipeline Docker triggers with GCR Pub/Sub triggers (https://www.spinnaker.io/setup/triggers/google/). That should reduce polling on GCR.

However it seems like it’s not possible to set any permissions on pubsub subscriptions: https://github.com/spinnaker/halyard/blob/master/docs/commands.md#hal-config-pubsub-google-subscription. So everybody will be able to see every configured subscription in the system.

It’s probably not that bad from security standpoint but the UI will be messy: because most of the UI subscriptions will not be relevant to users.

So is it possible to limit the amount of pubsub subscriptions that users see in the UI according to their membership?


#2

From Slack conversation with @ezimanyi

there is currently no way to add permissions/scoping to pubsub subscriptions, but is a request that we’ve heard before so is on our roadmap
(Though not sure exactly when we’ll get to it)