Skip to content
This repository was archived by the owner on Jul 31, 2023. It is now read-only.

Security: kappnav/design

Security

security.md

Security

Application Controller

Requirement: Prism must run on cluster that have RBAC enabled. Therefore ...

The Application Controller requires read/write access to all Kubernetes resources across all namespaces. There, it will run with a default service account and a cluster role binding, binding it to the cluster-admin cluster role, which grants full access to all resources in the cluster.

The following cluster role binding should achieve the desired result:

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  labels:
    app: application-controller
  name: application-controller
  namespace: prism
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: default
  namespace: prism

Notes

Resources:

  1. ICP Security Roadmap - See especially
    1. IAM Onboarding
    2. ICP RBAC Spec
    3. IAM Developer Guide
    4. Security API Doc
  2. CAM IM Onboarding
  3. CAM Login Flow
  4. CAM Onboarding Flow

From Chunlong:

ICp authentication service allows boarding of any applications.

Security Architecture:

architecture

There aren’t any published security advisories