-
Notifications
You must be signed in to change notification settings - Fork 382
ACL for controlling access to ServiceClasses #250
Comments
@duglin our decision, as of the last face-to-face meeting, was to put the
I think we should discuss this after MVP-1. We have a lot on our place and it'll be much easier to add an (optional) ACL (or similar) than to rush something and replace it later. |
related to #162? |
My opinion on where we stand on this: in MVP, there will not be controls on this. We should have a policy of some type that determines whether a particular user can see a particular service class. There are a number of options for how we could do this, and I sincerely doubt that we will have any time before kubecon to discuss them. So, I think we can either move this issue to the 'Later' milestone, or close it (since it is decided for the moment) and create a new issue to add a policy resource. |
Moving to |
We discussed a couple different possibilities for this at the November 2017 face to face. Writing RBAC policies that the controller checks is fairly easy to do. Implementing ACL filtered list in Kubernetes, however is not. |
My own opinion, having argued originally for RBAC rules and ACL filtered list: we probably need to look at ways to expose cluster-scoped serviceclasses and plans into individual namespaces in a way that is controlled by policy. |
This is on the roadmap for GA. Will it be resolved with the blacklist/whitelist PR once it's merged? Otherwise I think it needs to be removed from the milestone. |
We get close after catalog restrictions, and all the way there after namespaced brokers/classes/plans. |
I think we should close this issue - since we've established that ACL filtered list/watch is essentially not possible today. I'm happy to leave it open if people want, but this isn't a feature we have a path to deliver in its original form. |
When a broker is registered with a service controller, who in Kube can see those services? Everyone? Do we want to have some kind of ACL to limit apps in certain namespaces to certain services?
We should probably discuss what we want for MVP-1, for later and what we want to do to allow for future tweaks to this decision that are backwards compatible.
The text was updated successfully, but these errors were encountered: