Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Project level permission #3023

Closed
creeram opened this issue Nov 30, 2024 · 4 comments
Closed

Project level permission #3023

creeram opened this issue Nov 30, 2024 · 4 comments
Labels
kind/enhancement kind/proposal needs/area needs/priority

Comments

@creeram
Copy link

creeram commented Nov 30, 2024
edited
Loading

I didn't find an option to grant a user access only to a specific project, and I would love to have this feature implemented in Kargo.

Current feature

  oidc:
    enabled: true
    issuerURL:
    clientID
    cliClientID:
    additionalScopes:
    - groups
    admins:
      claims: 
        email:
        - [email protected]
        - [email protected]
        groups:
        - kargo-admin
    viewers:
      claims: 
        email:
        - [email protected]
        - [email protected]
        groups:
        - kargo-viewer

**** Requested feature****

    projectadmin: // lets-say demo-project
      projectname : demo-project
        claims: 
          email:
          - [email protected]
          - [email protected]
          groups:
          - kargo-demo-project-admin
    projectreader: 
      projectname : demo-project
        claims: 
          email:
          - [email protected]
          - [email protected]
          groups:
          - kargo-demo-project-viewer

Expected: Current feature + Requested feature.
@krancour
Copy link
Member

I'm afraid what you're looking for is not possible and it's not a Kargo limitation. It's a Kubernetes limitation.

Projects are cluster-scoped. If it helps, think of them as namespaces.

It is not possible to give permission to list only certain ones. You can list none or you can list all. As I said -- a Kubernetes limitation.

You pretty much need to grant all authenticated users list on Projects. This can be done at install time. There are options in the chart to specify claims that map to broad read-only access.

@creeram
Copy link
Author

creeram commented Nov 30, 2024

Is there an option to enforce a minimum number of approvers from a specified list of claims to ensure that the preprod and prod stages are only promoted after meeting the required approver count?

@krancour
Copy link
Member

@creeram there is not. Everything is based on Kubernetes RBAC. If it's not within Kubernetes RBAC's capability, it's not something we have.

In the future, please open a separate issue when asking a question that is not in any way connected to the current thread of conversation.

@krancour
Copy link
Member

krancour commented Dec 4, 2024

Tentatively closing this. Please do feel free to re-open if you feel there is more to discuss here.

@krancour krancour closed this as completed Dec 4, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/enhancement kind/proposal needs/area needs/priority
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@krancour @creeram