Skip to content

feat: add MachineAccount support to PolicyBinding subjects with mandatory namespace validation#552

Merged
JoseSzycho merged 5 commits intomainfrom
feat/machineaccount-authorization
Apr 2, 2026
Merged

feat: add MachineAccount support to PolicyBinding subjects with mandatory namespace validation#552
JoseSzycho merged 5 commits intomainfrom
feat/machineaccount-authorization

Conversation

@JoseSzycho
Copy link
Copy Markdown
Contributor

@JoseSzycho JoseSzycho commented Apr 1, 2026
edited
Loading

@JoseSzycho JoseSzycho marked this pull request as draft April 1, 2026 14:31
@joggrbot
Copy link
Copy Markdown
Contributor

joggrbot bot commented Apr 1, 2026
edited
Loading

📝 Documentation Analysis

All docs are up to date! 🎉

✅ Latest commit analyzed: f858aed | Powered by Joggr

@JoseSzycho JoseSzycho marked this pull request as ready for review April 1, 2026 17:04
@JoseSzycho JoseSzycho marked this pull request as draft April 1, 2026 17:04
@joggrbot joggrbot bot mentioned this pull request Apr 1, 2026
Closed
@JoseSzycho JoseSzycho marked this pull request as ready for review April 2, 2026 12:34
@JoseSzycho JoseSzycho requested a review from scotwells April 2, 2026 12:34
@scotwells
Copy link
Copy Markdown
Contributor

scotwells commented Apr 2, 2026

Aren't machine keys cluster-scoped resources?

@JoseSzycho
Copy link
Copy Markdown
Contributor Author

JoseSzycho commented Apr 2, 2026

@scotwells MachineAccounts are namespaced resources https://github.com/datum-cloud/milo/blob/main/pkg/apis/iam/v1alpha1/machineaccount_types.go

@scotwells
Copy link
Copy Markdown
Contributor

scotwells commented Apr 2, 2026

Is that by design? Their access is granted across the entire project so it's odd they would be namespaced.

@JoseSzycho
Copy link
Copy Markdown
Contributor Author

JoseSzycho commented Apr 2, 2026

@scotwells Is this way by design. That type was introduced 10 months ago.
#177

Do you want the MachineAccount type to be updated to be cluster scoped?

@scotwells
Copy link
Copy Markdown
Contributor

scotwells commented Apr 2, 2026

I think cluster-scoped would make more sense right now given their access is granted across the entire project. We can introduce a namespaced equivalent if the use-case comes up.

@JoseSzycho
Copy link
Copy Markdown
Contributor Author

JoseSzycho commented Apr 2, 2026

@scotwells I'm doing the changes now. Do you think that I would face issues with the already created MachineAccounts in staging?

@scotwells
Copy link
Copy Markdown
Contributor

scotwells commented Apr 2, 2026

@JoseSzycho they may disappear, unsure how the storage layer would like that.

@JoseSzycho JoseSzycho merged commit f4a6dd1 into main Apr 2, 2026
7 of 8 checks passed
@JoseSzycho JoseSzycho deleted the feat/machineaccount-authorization branch April 2, 2026 15:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@scotwells scotwells scotwells approved these changes

Assignees

@zachsmith1 zachsmith1

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@JoseSzycho @scotwells @zachsmith1