Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add doc page about identities use cases #1117

Merged
merged 1 commit into from Jan 20, 2021

Conversation

nader-ziada
Copy link
Contributor

@nader-ziada nader-ziada commented Jan 12, 2021

What type of PR is this?

/kind documentation

What this PR does / why we need it:

  • add a page for different identities use cases

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #992

Special notes for your reviewer:

Please confirm that if this PR changes any image versions, then that's the sole change this PR makes.

TODOs:

  • squashed commits
  • includes documentation
  • adds unit tests

Release note:

Add topic page for identities use cases

@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. kind/documentation Categorizes issue or PR as related to documentation. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Jan 12, 2021
@k8s-ci-robot k8s-ci-robot added area/provider/azure Issues or PRs related to azure provider sig/cluster-lifecycle Categorizes an issue or PR as relevant to SIG Cluster Lifecycle. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Jan 12, 2021
@nader-ziada
Copy link
Contributor Author

@devigned not sure what is needed for this issue, but did this as a starting point, used some of user stories from the multi-tenancy proposal as well.

@CecileRobertMichon
Copy link
Contributor

/assign @mboersma

Copy link
Contributor

@devigned devigned left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yay! This is going to be super helpful for folks.

I've provided a bit of feedback. Just want to challenge us to be a clear as possible with the rights and roles we require to operate a cluster.

@@ -0,0 +1,68 @@
## How to use Identities with CAPZ
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think there's one more, but isn't used yet. What do you think about documenting or point to the documentation for AAD Pod Identity b/c it will need an identity too for attaching Managed Identities to Azure VMs / VMSS machines?

@@ -0,0 +1,68 @@
## How to use Identities with CAPZ

## CAPZ controller:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not saying we should do this in this PR, but we should probably get as granular as the specific Azure Resource Manager rights that are required, at a minimum what role is required. A role is composed of rights and there's a bunch predefined like contributor. Roles and rights are also scoped by subscription, group, etc.

Eventually, I think it would be best to define our own custom roles and specific scopes to ensure that we are using the least privilege possible for each role while be as clear as possible about those rights and scopes.

Example would be:

CAPZ controller:

  • Scope: Subscription
  • Role: Contributor
    • Rights: see default Azure Subscription Contributor documentation
  • Reasoning: the controller is responsible for creating resource groups and cluster resources within the group. To create a resource group within a subscription, one must have subscription contributor rights. Note, this role's scope can be reduced to Resource Group Contributor if all resource groups are created prior to cluster creation.

WDYT?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

oh yeah, that is a good addition, let me try to do that

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

updated

@nader-ziada
Copy link
Contributor Author

added some more details

Copy link
Contributor

@devigned devigned left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
/assign @CecileRobertMichon

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jan 20, 2021
docs/book/src/SUMMARY.md Outdated Show resolved Hide resolved
docs/book/src/topics/identities-use-cases.md Outdated Show resolved Hide resolved
docs/book/src/topics/identities-use-cases.md Outdated Show resolved Hide resolved
docs/book/src/topics/identities-use-cases.md Outdated Show resolved Hide resolved
@k8s-ci-robot k8s-ci-robot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jan 20, 2021
@nader-ziada
Copy link
Contributor Author

@CecileRobertMichon suggestions applied.

Copy link
Contributor

@CecileRobertMichon CecileRobertMichon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jan 20, 2021
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: CecileRobertMichon

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jan 20, 2021
@k8s-ci-robot k8s-ci-robot merged commit a25e517 into kubernetes-sigs:master Jan 20, 2021
@k8s-ci-robot k8s-ci-robot added this to the v0.4.11 milestone Jan 20, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/provider/azure Issues or PRs related to azure provider cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/documentation Categorizes issue or PR as related to documentation. lgtm "Looks good to me", indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/cluster-lifecycle Categorizes an issue or PR as relevant to SIG Cluster Lifecycle. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Document the different Azure identities, rights and use cases
5 participants