-
Notifications
You must be signed in to change notification settings - Fork 905
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ability to deploy only the selected API groups of a provider #2122
Comments
it might be helpful to have a whitelist and blacklist of supported groups. This would enable folks to disable IAM for example. |
We had a quick sync with @ulucinar about this issue. I believe the use cases (partition, hence stronger IRSA story) described in the issue will be mostly covered by #2411 . So, it would make sense to limit this to just being able to install a provider with limited set of resources with no guarantee about whether you can install another provider with another set or conflicting sets. The rough design is to have a new field under apiVersion: pkg.crossplane.io/v1
kind: Provider
metadata:
name: provider-aws
spec:
image: crossplane/provider-aws:v0.19.2
apiGroups: # optional. if empty, it will work just like today.
- ec2.aws.crossplane.io
- rds.aws.crossplane.io The One important aspect is that if the user adds or removes a group from the list, we should be able to account for that and take necessary steps, which could be creating a new cc @negz @hasheddan |
Thanks @muvaf. One question: Why do we treat a change in the set of reconciled API groups by the provider as a new provider revision? It will correspond to a change in the command-line options we pass to the provider. Is it because the change is in the provider spec? If so, what about making this part of the ControllerConfig maybe? |
Unfortunately, it's not only that. Package manager applies CRDs and then creates the
If it was only a flag change, we could consider this. But since it affects other stuff, we'd have to treat |
- Fixes crossplane#2122 Signed-off-by: Alper Rifat Ulucinar <ulucinar@users.noreply.github.com>
- Fixes crossplane#2122 Signed-off-by: Alper Rifat Ulucinar <ulucinar@users.noreply.github.com>
…sed providers - Related Crossplane issue: crossplane/crossplane#2122 Signed-off-by: Alper Rifat Ulucinar <ulucinar@users.noreply.github.com>
- Related Crossplane issue: crossplane/crossplane#2122 Signed-off-by: Alper Rifat Ulucinar <ulucinar@users.noreply.github.com>
…sed providers - Related Crossplane issue: crossplane/crossplane#2122 Signed-off-by: Alper Rifat Ulucinar <ulucinar@users.noreply.github.com>
- Related Crossplane issue: crossplane/crossplane#2122 Signed-off-by: Alper Rifat Ulucinar <ulucinar@users.noreply.github.com>
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
What problem are you facing?
When you deploy a provider like provider-aws, CRDs of all groups are deployed and their controllers are started. But if you'd like to use only IAM resources like
IAMRole
,IAMPolicy
etc., you can't really do it.One of the use cases that needs this granularity could be the use of granular IRSA. Today, you can choose how controller should authenticate to provider API by using
spec.providerConfigRef
, however, the controller pod itself has ability to use every auth mechanism that's defined, including IRSA, if it wants to. So, I wanted to open this issue to see how folks feel about this in terms of security.How could Crossplane help solve your problem?
We could deploy a separate provider instance for each group. For example:
Then you can configure IRSA of this provider pod specifically using
ControllerConfig
and then if you'd like to deploy other groups with different IRSA configuration, you can do so. The resulting pods won't share the same cache and each controller manager would have a bit of overhead, so in terms of CPU/memory usage I'd expect higher numbers in total.The text was updated successfully, but these errors were encountered: