Securing deployment via manual judgement


#1

I’m trying to model a deployment pipeline that secures stages of the deployment by using manual judgements.

I have created the following scenario:

  • Kubernetes v2 is enabled
  • Deployments are going into a single cluster, with dev, stage, and production segregated by namespaces: dev, stage, and prod.

Using G-Suite as role provider of three roles:

  • deployment_development
  • deployment_staging
  • deployment_production

3 spinnaker accounts defined:

  • deploy-dev
  • deploy-stage
  • deploy-prod

Accounts are associated with namespaces/contexts as follows in the .hal/config:

  • deploy-dev: “namespaces” contains only dev, context is “spinnaker-deploy-dev” which is a kubernetes context associated with the dev namespace.
  • deploy-stage: “namespaces” contains only stage, context is “spinnaker-deploy-stage” which is a kubernetes context associated with the stage namespace.
  • deploy-prod: “namespaces” contains only prod, context is “spinnaker-deploy-prod” which is a kubernetes context associated with the prod namespace.

Permissions on the 3 accounts are:

  • deploy-dev (READ: deployment_development, WRITE: deployment_development)
  • deploy-stage (READ: deployment_development, deployment_staging, WRITE: deployment_development, deployment_staging)
  • deploy-prod (READ: deployment_development, deployment_staging, deployment_production WRITE: deployment_development, deployment_staging, deployment_production)

Or simply put, along the axis of namespaces, contexts, and roles: dev can only do dev things, stage can do dev or stage things, and prod can do all three.

I then define a pipeline that looks like:

  • Deploy (Manifest) DEV thing, using the deploy-dev account.
  • Manual Judgement
  • Deploy (Manifest) STAGE thing, using the deploy-stage account.
  • Manual Judgement
  • Deploy (Manifest) PROD thing, using the deploy-prod account.

I log in as a user who has the deployment_staging role and I do a manual execution of the pipeline.

  • DEV thing deploys properly, so far so good.
  • I get asked to continue, I continue.
  • STAGE thing deploys properly, even better.
  • I get asked to continue, I continue.
  • PROD thing deploys properly… wait a minute. I didn’t want that to happen. I expected this to fail due to my lack of prod permission.

I have “propagate authentication” checked in my Manual Judgement steps (Hoping that my deploy to prod, via the deploy-prod account, would fail based on my lack of the deployment_production role).

So my questions:

  • Is the above supposed to work, in theory, and I’m just misconfigured?
  • Is the above not supposed to work and I’m totally misapprehending the nature of spinnaker permissions?
  • If permissions do not work this way, does anyone have pointers on how to achieve the above effect using Spinnaker?
  • Or does anybody have a pointer to “best practices” in segregating deployments this way? Or should I be going about it in an entirely different manner?

#2

And the answer is… Misconfigured. I was thinking about it upside-down. In case it’s useful to someone else, the permissions need to be:

• deploy-dev (READ: deployment_development, deployment_staging, deployment_production WRITE: deployment_development, deployment_staging, deployment_production).

Meaning anybody with any role can do things at stages mapped to the deploy-dev account.

• deploy-stage (READ: deployment_staging, deployment_production WRITE: deployment_staging, deployment_production)

Meaning anybody with production or staging roles can do things at stages mapped to the deploy-stage account. Users with only deployment_development will fail.

• deploy-prod (READ: deployment_production, WRITE: deployment_production)

Meaning anybody with the production role can do things at stages mapped to the deploy-production account, but nobody else can.

Reconfigured this way, when I tried to execute the stage mapped to the deploy-prod account I got the following appropriate error:

46%20PM


#3

Thanks for posting your working solution, Nick!