-
Notifications
You must be signed in to change notification settings - Fork 162
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add applications to act as tenant owner #276
Comments
Thanks for sharing this feature proposal, @bsctl: really appreciated! I'm not so concerned regarding the Owner Reference mutating webhook: I think we could add a sort of check, when the request is made by a ServiceAccount we could skip the User and Group traversal, simplifying the identity process. Something similar to What is absolutely breaking is the CRD specification, since However, I know @MaxFedotov is really interested in this topic and I'd like to know his point of view regarding the proposal and if this solves their problems. |
yep, I'm aware of that. We should go with annotations in |
Hi @bsctl, thanks for a great proposal! That's really should work.
we can use
So the spec will look like:
@prometherion, @bsctl WDYT? |
What about, instead using directly the apiVersion: capsule.clastix.io/v1alpha1
kind: Tenant
metadata:
name: oil
spec:
owners:
- kind: Group
name: engineering
- kind: User
name: alice
- kind: ServiceAccount
name: system:serviceaccount:capsule-system:default Honestly, I wouldn't put a regex in the token stuff:that would degrade further performances and, if you need to allow permissions to a set of Service Account, you could simply use the |
The problem is if I want to allow all service accounts located in all tenant's Namespaces to act as tenant owners (and as a cluster admin I don't know which namespaces and SA will be in tenant beforehand), but I can use |
@prometherion @MaxFedotov - kind: ServiceAccount
name: system:serviceaccount:capsule-system:default or - kind: ServiceAccount
token:
iss: kubernetes/serviceaccount
sub:
allowedRegex: "^.*capsule-.*$"
allowed: ["system:serviceaccount:capsule-system:default"] give the role of tenant owner to any SA in the Imho, we should give that role only to SA under the control of the the tenant owner:
I'm not sure how this can be achieved, honestly, need to figure out. May be scraping JWT docs? @MaxFedotov yes, this would be better - kind: ServiceAccount
token:
iss: kubernetes/serviceaccount
sub:
allowed: ["system:serviceaccount:${TenantName}-.*"] and |
No, it isn't. It seems could be a good idea using the To address this in the current schema, we could use the annotations meta-programming, but first let's introduce how the apiVersion: capsule.clastix.io/v1alpha2
kind: Tenant
metadata:
name: new-tnt
spec:
owners:
- kind: User
allowed: ["alice"]
- kind: Group
allowed: ["engineering", "production"]
- kind: ServiceGroup
allowedRegex: "^.*capsule-.*$" This would be converted to apiVersion: capsule.clastix.io/v1alpha1
kind: Tenant
metadata:
name: new-tnt
annotations:
owners.capsule.clastix.io/1: "Group;engineering,production" // 1 is the 0-based index of owners in v1alpha2
owners.capsule.clastix.io/2: "ServiceAccount;;^.*capsule-.*$"
spec:
owner:
kind: User
name: "alice" We have to pay extra attention to the cases of converting a apiVersion: capsule.clastix.io/v1alpha2
kind: Tenant
metadata:
name: new-tnt
spec:
owners:
- kind: User
allowed: ["alice", "bob"] Because we would expect something as follows: apiVersion: capsule.clastix.io/v1alpha1
kind: Tenant
metadata:
name: new-tnt
annotations:
owners.capsule.clastix.io/0: "User;bob" // adding bob to the allowed list of users
spec:
owner:
kind: User
name: "alice" Since these changes are going to be fully backed by a new CRD version, we can easily update the old CRD using the minor release to support a new enum value in the |
@prometherion |
We can start this but, first, we need to scaffold the We don't need to start gluing the new version into the current status, just having an API there that is going to be used during the development phase is good enough. We can open a new issue to track the new CRD version so we can easily test the migration webhook without any problem. |
Describe the feature
We should consider to have a more general approach for the Tenant Ownership. Currently ownership of a tenant is assigned by the cluster admin to a single subject:
User
orGroup
. However, there are cases where an application needs to act as tenant owner, for example, to provision namespaces or getting list of nodes and storage/ingress class assigned to tenant (through the capsule-proxy or simply asking the APIs server).This enhancement proposal tries to address the above requirement. We already considered this topic in the past, see this comment, but for some reason, we excluded
ServiceAccounts
from tenant ownership.The current proposal is inspired by the Harbor Registry with its RobotAccount feature.
What would the new user story look like?
Expected behavior
The text was updated successfully, but these errors were encountered: