Security model for declarative pipelines (pipeline templates)


#1

I’m wondering about security model for pipeline templates. Can any authenticated user create/delete pipelines in a Spinnaker instance or it’s possible to limit list/group/role of users that can do it?


SSL and x509
#2

Along with provider account read/write access, you can give application level read/write access in Spinnaker. In application configuration section in GUI, you can select groups to give read/write access. if no groups are selected then all authenticated users have read/write access.


#3

@Rebala these are general authorization rules in Spinnaker. But how do they apply to pipeline templates? As far as I understand they are not associated with applications.


#4

@jacobkiefer confirms my assumption on Slack:

Currently any authenticated user can create/delete pipeline templates: https://github.com/spinnaker/front50/blob/master/front50-web/src/main/groovy/com/netflix/spinnaker/front50/controllers/PipelineTemplateController.java
(there are no fiat checks in that file, unlike the results in this search: https://github.com/spinnaker/front50/search?q=PreAuthorize&unscoped_q=PreAuthorize)


#5

@jacobkiefer but that sounds like a security issue, doesn’t it?


#6

Templates should be pipeline best practices that are reusable. If there are no secrets embedded in templates then it is just sharing best practices. Hydrating pipelines created from templates is specified external to the template anyway. Sharing templates does not seem like a security risk


#7

@Rebala let me kick in the following scenario:

Someone developed and published a simple “golden” pipeline template that just deploys a new version of pod to production destroying all previous ones. And 20 microservices got their pipelines based on it.

Now let’s assume that another person by mistake (or on purpose) updated this template to destroy all running pods in pro. This change will propagate to all 20 pipelines and as soon as one of them gets triggered its microservice gets destroyed causing downtime in pro. Not good.

Does it make sense?


#8

@wheleph is correct, there is essentially no security model enforced for pipeline templates. There would be an audit trail (in Orca) of pipeline templates being modified, but nothing enforcing policies on the operations themselves yet. This is something we will design into managed pipeline templates v2.


#9

Clear. I think it would be great to specify this fact in documentation.


#10

@ddorbin Can you find the right place for this in the docs if one exists?