New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Consider limited kubeconfig for internal components and consumers #5553
Comments
Somehow related to this #3661 |
/kind proposal |
The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
/remove-lifecycle stale |
/lifecycle frozen |
@vincepri: GuidelinesPlease ensure that the issue body includes answers to the following questions:
For more details on the requirements of such an issue, please see here and ensure that they are met. If this request no longer meets these requirements, the label can be removed In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/triage accepted |
This issue has not been updated in over 1 year, and should be re-triaged. You can:
For more details on the triage process, see https://www.kubernetes.dev/docs/guide/issue-triage/ /remove-triage accepted |
/priority important-longterm |
This is still important to improve the security posture of CAPI itself |
User Story
As a developer/user/operator I would like to CAPI core internal components to be granted only with the perms they need.
Detailed Description
Today CAPI generates a full admin config that is then consumed by the Machine Controller and by any component claiming a cluster accessor through the remote cache tacker, i.e
r.Tracker.GetClient(ctx, util.ObjectKey(cluster))
.The Machine controller shouldn't need full admin client to operate successfully.
There might be other components needing narrowed set of permissions:
This is to discuss alternatives for:
1 - Create limited kubeconfigs for consumption of our internal core components.
2 - Consider providing a way to express desired for capi outputting t-shirt size / limited kubeconfigs.
Anything else you would like to add:
[Miscellaneous information that will assist in solving the issue.]
/kind feature
The text was updated successfully, but these errors were encountered: