Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

APIExport RBAC for clients #1335

Closed
astefanutti opened this issue Jun 23, 2022 · 3 comments
Closed

APIExport RBAC for clients #1335

astefanutti opened this issue Jun 23, 2022 · 3 comments
Labels
area/apiexports
Milestone
v0.6.0

Comments

@astefanutti
Copy link
Member

astefanutti commented Jun 23, 2022
edited
Loading

Now that controllers should configure their API clients using the corresponding APIExport virtual workspace server URLs, these raises the following questions w.r.t. authorization:

  1. The controller is supposed to retrieve the APIExport virtual workspace server URL, by getting the APIExport resource and read its status. While this may be fine for APIExports owned by the controller, generally the controller SA is not granted the permission to get APIExport resources in other workspaces. Similarly, it is generally not granted the permission to get APIExport resources from compute service workspaces, when consuming APIs negotiated via workload clusters. As a work-around, such a controller has to build the APIExport virtual workspace server URL manually, which seems brittle.

  2. The controller client must be privileged to query the APIExport virtual workspace API server across multiple workspaces. Currently, a dedicated ServiceAccount has to be created, with the proper ClusterRole bound, but that's actually limited to one workspace, and kind of defeats the TMC feature, when it comes to deploying such a controller via kcp.

Describe the solution you'd like

Ideally, the controller SA could be granted the permissions to get the URLs of the APIExports it consumes, and access their underlying content, via standard RBAC. By an "APIExport underlying content", we mean the resources of the APIs exported by that particular APIExport, in all the workspaces that have it bound.
@sttts sttts added this to kcp Jun 23, 2022
@sttts sttts moved this to New in kcp Jun 23, 2022
@astefanutti
Copy link
Member Author

astefanutti commented Jun 24, 2022
edited
Loading

After some discussions, here are the actions I can see:

  • For 1) / compute service APIExport: A solution has to be devised, possibly with a local APIExport claiming resources from the compute service workspace APIExport
  • For 2): Document the solution to use a ClusterRole with the following rule:
- apiGroups:
   - apis.kcp.dev
   resources:
   - apiexports/content
   verbs:
   - '*'

@ncdc ncdc added this to the TBD milestone Jun 28, 2022
@astefanutti astefanutti modified the milestones: TBD, v0.6.0 Aug 4, 2022
@astefanutti
Copy link
Member Author

The main tasks have been delivered as part of the 0.6.0 release:

Let me close this.

Repository owner moved this from New to Done in kcp Aug 4, 2022
@astefanutti
Copy link
Member Author

Documentation should be addressed in #1859.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/apiexports
Projects
kcp
Status: Done
Milestone
v0.6.0
Development

No branches or pull requests
2 participants
@ncdc @astefanutti