Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Task] Configure Cryostat for All Namespaces discovery mode #976

Open
Tracked by #716
andrewazores opened this issue Nov 26, 2024 · 1 comment
Open
Tracked by #716

[Task] Configure Cryostat for All Namespaces discovery mode #976

andrewazores opened this issue Nov 26, 2024 · 1 comment
Labels
blocked feat New feature or request question Further information is requested

Comments

@andrewazores
Copy link
Member

No description provided.

@andrewazores andrewazores transferred this issue from cryostatio/cryostat Nov 26, 2024
@andrewazores andrewazores added the feat New feature or request label Nov 26, 2024
@andrewazores andrewazores moved this to Backlog in 4.0.0 release Nov 26, 2024
@andrewazores
Copy link
Member Author

This goes back to:

Creating an "All Namespaces" instance (ie the old ClusterCryostat) means that that particular Cryostat instance has visibility into all namespaces of the cluster, and can potentially connect to and gather data from all (Java) applications in the cluster. Any user who has access to that Cryostat instance can therefore pull out data from any application, including ones in namespaces where the user does not actually have access. This is a big footgun, and any admin user who creates such a Cryostat instance is essentially offering a privilege escalation to other users.

For the Helm chart, where installations are more likely to be one-off/short-lived for ad hoc troubleshooting, this may be an acceptable and useful feature despite the security implications. For the Operator, where installations are intended to be more long-lived and hardened deployments, we should not move forward with this until we have a multitenancy story (cryostatio/cryostat-legacy#1188, cryostatio/cryostat#630, cryostatio/cryostat-legacy#1409) and can enforce authorization and access controls to ensure that users accessing Cryostat do not gain access to data from other namespaces where they are lacking authorization.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
blocked feat New feature or request question Further information is requested
Projects
None yet
Development

No branches or pull requests

1 participant