Updated enforcement design to align with the issue 151 #156
Conversation
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: mpryc The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
mpryc
force-pushed
the
enforcement_new_design
branch
2 times, most recently
from
1c8e02e to
1a7eab6
Compare
Implementing enforcement for the NonAdminBackupStorageLocation requires revisit of the enforcement behavior. This design should align with it's requirements and allow other parts of the enforcement functionality. The enforcement levels are described in the: migtools#151 Signed-off-by: Michal Pryc <[email protected]>
mpryc
force-pushed
the
enforcement_new_design
branch
from
1a7eab6 to
06cec29
Compare
| For example, administrators may want to enforce specific rules on non-admin user operations, such as: | ||
|
|
||
| - Enforcing a specific time to live (TTL) for Velero Backups associated with `NonAdminBackup`. | ||
| - Limiting the region that users can select within Velero `BackupStorageLocation`. |
There was a problem hiding this comment.
What benefit does limiting region bring to admins exactly?
There was a problem hiding this comment.
- AWS pricing varies by region. Admins can enforce the use of cost-effective regions and avoid expensive cross-region data transfer fees.
- Performance optimization to ensure s3 region is closer to the cluster
- Simplified management by ensuring everything is in one regions so admins can review users usage based on one region, they can better monitor access logs, apply regional security policies as everything is bound to one region
- I may also think that GDPR or HIPAA may take place where some data must be stored in a specific locations, e.g. in Poland you can not store any medical data outside of physical location data centers which must be based in the EEA (EU countries + Norway, Iceland, Liechtenstein):
GDPR (General Data Protection Regulation)
[...]
Article 44-49: Transfers of personal data outside the European Economic Area (EEA) (EU + Norway, Iceland, Liechtenstein) are restricted unless specific conditions are met.
So above in AWS, Azure, Google Cloud - you must ensure data is stored in an EEA-based region (e.g., AWS Frankfurt, AWS Stockholm).
There was a problem hiding this comment.
So we are assuming non admins who brought their own creds are actually sharing admin budgets constraints..
I guess up to admin to decide.
There was a problem hiding this comment.
Performance optimization to ensure s3 region is closer to the cluster
enforcement error/warn should say what is allowed then
There was a problem hiding this comment.
There was a problem hiding this comment.
Sure. Just the background was unclear to me. Perhaps adding above bullet points to background would be great.
Implementing enforcement for the NonAdminBackupStorageLocation requires revisit of the enforcement behavior. This design should align with it's requirements and allow other parts of the enforcement functionality.
The enforcement levels are described in the:
#151