Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Loosen up Owner-Child resource subscription checks #4343

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Loosen up Owner-Child resource subscription checks #4343

wants to merge 3 commits into from

Conversation

super-harsh
Copy link
Collaborator

@super-harsh super-harsh commented Oct 15, 2024
edited
Loading

Closes #3754

What this PR does / why we need it:

We introduced this check a while ago with single-operator multitenancy credentials to prevent users from creating resources in a subscription that doesn't match the subscription of the owner resource. However, there could be scenarios where owner and child resources could be provisioned in distinct subscriptions.

This PR is to loosen up check between Owner-Child resource subscription mismatch for ARMID owner references. From a security perspective Azure has access checks and the operation is not allowed, it'll be rejected at ARM level.

Special notes for your reviewer:

Will add documentation after we make a decision on taking the change

If applicable:

  • this PR contains tests

@super-harsh super-harsh self-assigned this Oct 15, 2024
theunrepentantgeek
theunrepentantgeek reviewed Oct 15, 2024
View reviewed changes
Copy link
Member

@theunrepentantgeek theunrepentantgeek left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This just removes the restriction - I thought we discussed yesterday that we needed it when the owner was within the cluster, but possibly loosen it when the owner is referenced directly by ARM ID.

@super-harsh
Copy link
Collaborator Author

@theunrepentantgeek I've made the change as per above.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@theunrepentantgeek theunrepentantgeek theunrepentantgeek approved these changes

@davefellows davefellows Awaiting requested review from davefellows davefellows is a code owner

@matthchr matthchr Awaiting requested review from matthchr matthchr is a code owner

@babbageclunk babbageclunk Awaiting requested review from babbageclunk babbageclunk is a code owner

Assignees

@super-harsh super-harsh

Labels
None yet
Projects
Azure Service Operator Roadmap
Status: In Progress
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Bug: remove subscription check between resource/owner for DNS records
2 participants
@super-harsh @theunrepentantgeek