Cannot create IAMPolicyMember in namespace B for a Project in namespace A

[karlkfi]

The platform team wants to manage project lifecycle in namespace A.
The tenant team B wants to manage role binding lifecycle in namespace B.
KCC doesn't allow resourceRef to refer to resources in another namespace.

So when tenant team B tries to create a IAMPolicyMember in namespace B, it errors because the project resource is in namespace A.

ConfigConnector Version
1.27.1

To Reproduce

apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
kind: Project
metadata:
  annotations:
    cnrm.cloud.google.com/auto-create-network: "false"
  name: "${PROJECT_ID_A}"
  namespace: projects
spec:
  name: "${PROJECT_ID_A}"
  billingAccountRef:
    external: "${BILLING_ACCOUNT}"
---
apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
kind: Project
metadata:
  annotations:
    cnrm.cloud.google.com/auto-create-network: "false"
  name: "${PROJECT_ID_B}"
  namespace: projects
spec:
  name: "${PROJECT_ID_B}"
  billingAccountRef:
    external: "${BILLING_ACCOUNT}"
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMServiceAccount
metadata:
  name: my-service-account
  namespace: "${PROJECT_ID_B}"
spec:
  displayName: "${PROJECT_ID_B}"
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
  name: my-policy-member
  namespace: "${PROJECT_ID_B}"
spec:
  member: "serviceAccount:my-service-account@${PROJECT_ID_B}.iam.gserviceaccount.com"
  role: roles/owner
  resourceRef:
    apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
    kind: Project
    name: "${PROJECT_ID_A}"
    namespace: projects

[xiaobaitusi]

Hi @karlkfi, are you running config connector in the namespaced mode?

If so, you can resolve the issue by applying the following RoleBinding to grant the controller for namespace B the permission to reference resource in namespace A i.e. namespace projects in your case.

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: allow-resource-reference-from-namespace-B
  namespace: projects
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cnrm-admin
subjects:
- kind: ServiceAccount
  name: cnrm-controller-manager-${PROJECT_ID_B}
  namespace: cnrm-system

[karlkfi]

Yeah, that isn't sufficient. The IAMPolicyMember resource errors with

error setting policy member: error getting resource config for referenced resource: resource reference's namespace must be unspecified or be equal to the IAM resource's namespace

[xiaobaitusi]

Hi @karlkfi, we seem to have a constrain that only allows same-namespace reference. We are looking into relax it to support cross-namespace references. Will update the thread when we have more information.

[jcanseco]

Hi @karlkfi, it is now possible to create an IAMPolicyMember that references resources in another namespace in KCC v1.34.0. Note that you would still need the RoleBinding provided by @xiaobaitusi if you are using KCC in namespaced-mode though. Closing this issue now, but please feel free to follow-up with comments if you have any further questions.

[karlkfi]

Isn't cnrm-admin a bit overkill? It grants read/write.

Is there a cnrm-viewer we can use instead?

[jcanseco]

Hey @karlkfi, good idea. Created #407 to track the request.