Add support for Service Account details in all actions for OPA
under review
C
Convincing Wildcat
Add metadata info for SA when it does an action.
Example:
User updates a connector, the payload yaml returns with full user details. A SA updates the same pipeline, the yaml shows user: null
OPA cannot tell if an action is performed by a service account (the info that OPA sees shows "user: null"). This means that you need to add an exception to policies that bypasses restrictions if user==null, but then any service account can trivially bypass OPA.
There needs to be data enriched fields to inform OPA on if the action is performed via service account, and more details on exactly which service account is performing the action.
Log In
Prateek Mittal
under review