add keppel.RBACPolicy.ForbiddenPermissions#514
Merged
Conversation
majewsky
requested review from
Nuckal777,
SuperSandro2000,
VoigtS and
wagnerd3
as code owners
"GrantsPull" etc. do not read well in the context of ForbiddenPermissions.
SuperSandro2000
approved these changes
Mar 27, 2025
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This solves a functionality gap that I regret not including in the original design. For our core Keppel accounts, I would like to forbid pushing by human users, but also human users need to have the
registry_adminrole to be able to administer the accounts (e.g. to delete old images).It will be too late to switch over the existing Keppel accounts now because I'm afraid it will break existing workflows, but for the new OCM accounts, I want to get it right from the get-go, and lock out everyone except for one technical user used by the CI from pushing into it.