-
Notifications
You must be signed in to change notification settings - Fork 117
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RBAC-Manager could augment resourceName
behavior in Role
and ClusterRole
#158
Comments
@sudermanjr asked in another thread: "Does this encourage people to disregard our advice of segmenting namespaces logically?" I don't think it "encourages" it but I do think this enables that to a certain extent. I can see this feature being useful to add segmentation in finer-grained way in addition to the logical segmentation. It also adds a type of functionality that could be very useful to dev teams in the dev workflow and/or when you want to grant read-only access to certain resources in production. |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
I still believe in you! |
We are also looking for this feature..Any plans in implementing this solution in future? |
I want to move forward with this feature, and currently thinking over the implementation options. I think I like the idea of annotating a. pattern match using regex The issue I see with pattern matching is the same that's brought up in the above linked kubernetes thread (kubernetes/kubernetes#56582) where you match pods with If we match purely to a Deployment name, then we could use the Thoughts on these? CC: @ejether |
Problem:
The
resourceNames
property in RBAC Role and ClusterRole is limited in usefulness because it is not currently possible to scope dynamically to pods created by aDeployment
,Daemonset
,StatefulSet
, etc, because the value inresourceNames
is an exact match and not a pattern match. Therefore, using a pod controller name to define a set of Pods in the Role or ClusterRole is not possible.There is some more discussion here: kubernetes/kubernetes#56582
Idea:
It would be rad if you could define a pod controller instance name,
{Deployment: webapp}
for example, and have theRole
orClusterRole
dynamically recognize the child Pods of that controller and grant access.Proposal:
Add new feature of RBAC-Manager to edit roles in place to grant this access. In both of two ways:
pods
that start withdev
)Value:
@rbren brought up the basic ideas but the current RBAC segmentation capability is limited if the workload architecture is not hyper-segmented in namespaces. For example, if you wanted to grant front end devs access to get the logs from only the front end related pods in a shared production namespace you would not be able to do that effectively. This could also apply to dev/test infra.
Possible Implementations (not exhaustive):
For example:
The text was updated successfully, but these errors were encountered: