Upgrade Kustomize version
How to upgrade the Kustomize binary version
Before version 2.17, there was no way to prevent application creation in Spinnaker. In Armory Spinnaker 2.17 and later, Fiat can now control application creation through the use of a new permission option:
Note: When configuring permissions, you must explicitly configure permissions for each user role. The default for a user role is no permissions, which means it cannot perform any actions.
This document assumes that you have enabled and configured Fiat.
This was tested on version 2.17 and may change in later versions.
Fiat is the authorization (authz) microservice of Spinnaker, which looks for the permissions from different sources. In 2.17, a new sources were added, providing more flexibility for applying permissions. This page focuseson the
prefix source to control permissions for any applications whose name starts with a given prefix. To use this functionality, you need to enable Fiat to use the new sources and set prefixes as one of the sources.
Perform the following steps:
fiat-local.yml, set the value for
Add prefixes as a source:
auth.permissions.source.application.prefix: enabled: true
Define the permissions for a prefix:
- prefix: <some_prefix> permissions: READ: - "<user role 1>" - "<user role 2>" - "<user role n>" WRITE: - "<user role n>" EXECUTE: - "user role n>"
The below example does the following:
prefixas one of these new sources.
apptest-*based on roles:
#fiat-local.yml auth.permissions.provider.application: aggregate auth.permissions.source.application.prefix: enabled: true prefixes: - prefix: "apptest-*" permissions: READ: - "role-one" - "role-two" WRITE: - "role-one" EXECUTE: - "role-one"
As a result, any application that matches the prefix
role-two are read-only.
To restrict application creation specifically, add
fiat.restrictApplicationCreation and set it to
Note: Currently, the prefix source is the only source that support the CREATE permission.
#fiat-local.yml fiat.restrictApplicationCreation: true auth.permissions.provider.application: aggregate auth.permissions.source.application.prefix: enabled: true prefixes: - prefix: "*" permissions: CREATE: - "role-one" READ: - "role-one" - "role-two" WRITE: - "role-one" EXECUTE: - "role-one"
The above example assigns CREATE permission to users with the
role-one role. Users without the
role-one role cannot create any applications in Spinnaker because only
role-one has CREATE permission.
hal deploy apply.
The following screenshot shows what happens when a user without sufficient permissions attempts to create an application in Deck, Spinnaker’s UI: