github/kubevela
1
0
Fork 0
mirror of https://github.com/kubevela/kubevela.git synced 2026-02-14 18:10:21 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
master
kubevela/charts/vela-core/templates/NOTES.txt
Brian Kane c0e906629e Fix: Unbundle the X-Definition Validation from Authentication Features (#6904) 
Signed-off-by: Brian Kane <briankane1@gmail.com>
2025-09-17 04:33:20 +08:00

65 lines
2.8 KiB
Plaintext
Raw Permalink Blame History

Welcome to use the KubeVela! Enjoy your shipping application journey!
,
//,
////
./ /////*
,/// ///////
.///// ////////
/////// /////////
//////// //////////
,///////// ///////////
,////////// ///////////.
./////////// ////////////
//////////// ////////////.
*//////////// ////////////*
#@@@@@@@@@@@* ..,,***/ /////////////
/@@@@@@@@@@@#
*@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@&
.@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
.&@@@* *@@@& ,@@@&.
_ __ _ __ __ _
| |/ /_ _ | |__ ___\ \ / /___ | | __ _
| ' /| | | || '_ \ / _ \\ \ / // _ \| | / _` |
| . \| |_| || |_) || __/ \ V /| __/| || (_| |
|_|\_\\__,_||_.__/ \___| \_/ \___||_| \__,_|
You can refer to https://kubevela.io for more details.
{{- if and .Values.authentication.enabled (not .Values.authentication.withUser) }}
WARNING: Authentication is enabled but withUser is disabled.
This configuration provides NO security benefit:
- All applications will run as '{{ .Values.authentication.defaultUser }}' regardless of who creates them
- User groups matching '{{ .Values.authentication.groupPattern }}' are still collected but not used effectively
- Service account annotations are blocked
To enable true user impersonation for security:
--set authentication.withUser=true
{{- end }}
{{- if and (not .Values.authorization.definitionValidationEnabled) (not .Values.authentication.enabled) }}
SECURITY RECOMMENDATION: Both authentication and definition validation are disabled.
If KubeVela is running with cluster-admin or other high-level permissions,
consider enabling one or both security features:
1. Authentication with impersonation (recommended for multi-tenant environments):
--set authentication.enabled=true
--set authentication.withUser=true
This makes KubeVela impersonate the requesting user, applying their RBAC permissions.
Note: Both flags must be enabled for user impersonation to work.
2. Definition permission validation (lightweight RBAC for definitions):
--set authorization.definitionValidationEnabled=true
This ensures users can only reference definitions they have access to.
Using both features together provides defense in depth.
Without these protections, users can leverage KubeVela's permissions to deploy
resources beyond their intended access level.
{{- end }}
Reference in New Issue View Git Blame Copy Permalink