Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

docs(api): document ClusterCryostat API #544

Merged
merged 6 commits into from
Apr 5, 2023
Merged

docs(api): document ClusterCryostat API #544

merged 6 commits into from
Apr 5, 2023

Conversation

ebaron
Copy link
Member

@ebaron ebaron commented Apr 4, 2023
edited
Loading

This PR adds a separate docs/multi-namespace.md that only highlights the differences compared to the existing Cryostat CRD. It includes references to docs/config.md that point out that all existing configuration can be used with the ClusterCryostat CRD as well.

Fixes: #521

@ebaron ebaron added the docs label Apr 4, 2023
@ebaron ebaron marked this pull request as ready for review April 4, 2023 22:05
@ebaron ebaron requested a review from andrewazores April 4, 2023 22:05
@ebaron
Copy link
Member Author

ebaron commented Apr 4, 2023

@andrewazores What do you think? Should we add something here about the multi-tenancy concerns in https://github.com/cryostatio/cryostat/issues/1409?

@andrewazores
Copy link
Member

@andrewazores What do you think? Should we add something here about the multi-tenancy concerns in cryostatio/cryostat#1409?

Yes, I think so. Maybe between the "cluster scoped" and "installation namespace" sections.

### Data Isolation
When installed in a cluster-wide, multi-namespace manner, all users with access to a Cryostat instance have the same visibility and privileges to all data available to that Cryostat instance. Administrators deploying Cryostat instances must ensure that the users who have access to a Cryostat instance also have equivalent access to all the applications that can be monitored by that Cryostat instance. Otherwise, underprivileged users may use Cryostat to escalate permissions to start recordings and collect JFR data from applications that they do not otherwise have access to.

@ebaron
Copy link
Member Author

ebaron commented Apr 5, 2023

@andrewazores What do you think? Should we add something here about the multi-tenancy concerns in cryostatio/cryostat#1409?

Yes, I think so. Maybe between the "cluster scoped" and "installation namespace" sections.

### Data Isolation
When installed in a cluster-wide, multi-namespace manner, all users with access to a Cryostat instance have the same visibility and privileges to all data available to that Cryostat instance. Administrators deploying Cryostat instances must ensure that the users who have access to a Cryostat instance also have equivalent access to all the applications that can be monitored by that Cryostat instance. Otherwise, underprivileged users may use Cryostat to escalate permissions to start recordings and collect JFR data from applications that they do not otherwise have access to.

Looks good, I've added this section now.

@ebaron
Copy link
Member Author

ebaron commented Apr 5, 2023

I've added another sentence to that section that mentions how the authorization checks are done against the install namespace instead of the target namespaces.

@ebaron ebaron merged commit a485e53 into cryostatio:main Apr 5, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@andrewazores andrewazores andrewazores approved these changes

Assignees
No one assigned
Labels
docs
Projects
No open projects
2.3.0 release
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Document ClusterCryostat API
2 participants
@ebaron @andrewazores