openshift-pipelines
How to prevent rogue tasks
Lets say I set up PAC for a repo with associated Kubernetes namespace. Aside from careful PR review policies, what's to stop someone modifying the PipelineRun in .tekton to include a taskSpec to egress the service account token (probably pipeline with edit role) - giving persistent access to that namespace?
Should there be a mode to only allow pre-approved tasks rather than allowing inline taskSpec? Or at least include a security section in the docs warning about this?
@jimmyjones2 users are supposed to be "trusted" and already have an access to the cluster to be able to run "CI". We don't let any CI run unless the users is an "owner/collaborator" on the repo (as defined by the GIT provider i.e: the Github api) or explicitly approved with the /ok-to-test comment on PR or inside the OWNERS files in the trunk/main branch of the repo.
If you don't trust those users you probably are looking to run an open policy agent https://www.openpolicyagent.org/docs/latest/policy-language/, I am not an expert on this but i know some teams at Red Hat runs this to only have an "allowed list" of tekton bundles to be allowed to be run on tekton/PAC.
