New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add doc page about identities use cases #1117
Conversation
@devigned not sure what is needed for this issue, but did this as a starting point, used some of user stories from the multi-tenancy proposal as well. |
/assign @mboersma |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yay! This is going to be super helpful for folks.
I've provided a bit of feedback. Just want to challenge us to be a clear as possible with the rights and roles we require to operate a cluster.
@@ -0,0 +1,68 @@ | |||
## How to use Identities with CAPZ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think there's one more, but isn't used yet. What do you think about documenting or point to the documentation for AAD Pod Identity b/c it will need an identity too for attaching Managed Identities to Azure VMs / VMSS machines?
@@ -0,0 +1,68 @@ | |||
## How to use Identities with CAPZ | |||
|
|||
## CAPZ controller: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not saying we should do this in this PR, but we should probably get as granular as the specific Azure Resource Manager rights that are required, at a minimum what role is required. A role is composed of rights and there's a bunch predefined like contributor
. Roles and rights are also scoped by subscription, group, etc.
Eventually, I think it would be best to define our own custom roles and specific scopes to ensure that we are using the least privilege possible for each role while be as clear as possible about those rights and scopes.
Example would be:
CAPZ controller:
- Scope: Subscription
- Role: Contributor
- Rights: see default Azure Subscription Contributor documentation
- Reasoning: the controller is responsible for creating resource groups and cluster resources within the group. To create a resource group within a subscription, one must have subscription contributor rights. Note, this role's scope can be reduced to Resource Group Contributor if all resource groups are created prior to cluster creation.
WDYT?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
oh yeah, that is a good addition, let me try to do that
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
updated
51bd42b
to
2cc4160
Compare
added some more details |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
/assign @CecileRobertMichon
2cc4160
to
e218a13
Compare
@CecileRobertMichon suggestions applied. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
/approve
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: CecileRobertMichon The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
What type of PR is this?
/kind documentation
What this PR does / why we need it:
Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)
format, will close the issue(s) when PR gets merged):Fixes #992
Special notes for your reviewer:
Please confirm that if this PR changes any image versions, then that's the sole change this PR makes.
TODOs:
Release note: