pipeline icon indicating copy to clipboard operation
pipeline copied to clipboard
verified publisher icon tektoncd

Capture object creator for run requests.

Open wlynch opened this issue 2 years ago • 0 comments

Feature request

Preserve the AuthInfo for the user who created a Run.

This information should only be set on create, and should be immutable once set.

Use case

Auditing / supply chain security.

It's useful for build provenance to know who created a Run. This can let you make smarter policy choices since a Run created by automation (e.g. triggers) might be considered more trustworthy than a Run created by a human user. This also leaves an audit trail in objects for how the object was created in-case the Run was configured with unexpected configuration without needing to correlate objects with the k8s audit api.

Additional information

This information is present in AdmissionRequests, so to implement we'd need to capture it in the mutating admission webhook.

cc @lbernick

wlynch avatar Aug 24 '23 16:08 wlynch