-
Notifications
You must be signed in to change notification settings - Fork 1.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
allow ACL policies to be associated with workload identity #14140
Conversation
5571c01
to
c980551
Compare
@@ -0,0 +1,3 @@ | |||
```release-note:improvement | |||
cli: `acl policy info` output format has changed to improve readability with large policy documents |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is the only bit of this that's changing behavior of already-shipped code outside of Secure Variables and Workload Identity work (which will get its own changelog entry once we're ready to wrap everything up). If we want to be fussy we can pull this out to its own PR but it's a tiny change that won't get backported so seemed safe to keep here.
Some end-to-end testing:
|
c980551
to
b9eb888
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM! just the usual suggestions
The original design for workload identities and ACLs allows for operators to extend the automatic capabilities of a workload by using a specially-named policy. This has shown to be potentially unsafe because of naming collisions, so instead we'll allow operators to explicitly attach a policy to a workload identity. This changeset adds workload identity fields to ACL policy objects and threads that all the way down to the command line. It also a new secondary index to the ACL policy table on namespace and job so that claim resolution can efficiently query for related policies.
b9eb888
to
22920e1
Compare
I'm going to lock this pull request because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active contributions. |
The original design for workload identities and ACLs allows for operators to
extend the automatic capabilities of a workload by using a specially-named
policy. This has shown to be potentially unsafe because of naming collisions, so
instead we'll allow operators to explicitly attach a policy to a workload
identity.
This changeset adds workload identity fields to ACL policy objects and threads
that all the way down to the command line. It also a new secondary index to the
ACL policy table on namespace and job so that claim resolution can efficiently
query for related policies.
Fixes #13995
cc @schmichael @apollo13 @angrycub
I've got this in draft while I do some end-to-end verificationbut the overall design seems sound enough for a first look if you've got comments.