Commit 612c01e

authored

Promote new konflux-admins permissions to prod (#9193)

Update konflux-admins to provide cluster-admin-like permissions while preventing secret access both directly and indirectly via pod manipulation. Key changes: * Block direct access to secrets and internalrequests * Restrict pod-creating resources (apps, batch, tekton) to read-only+delete * Expand API group coverage from 30 to 153 groups * Add konflux-admins-pod-admin for namespace-specific pod management (default and openshift-etcd namespaces only) This prevents users from creating pods that could mount secrets while maintaining operational capabilities for monitoring and cleanup. KFLUXINFRA-2410 Signed-off-by: Hugo Ares <[email protected]>

1 parent 35d2210 commit 612c01eCopy full SHA for 612c01e

5 files changed

+211

-633

lines changed

components/authentication
- base
- staging/base
  - konflux-admins-patch.yaml
  - kustomization.yaml

5 files changed

+211

-633

lines changed

`‎components/authentication/staging/base/konflux-admins-pod-admin.yaml‎ renamed to ‎components/authentication/base/konflux-admins-pod-admin.yaml‎`

File renamed without changes.

Comments

(0)