Skip to content
This repository has been archived by the owner on May 27, 2022. It is now read-only.

[Enhancement Request] More complete Access Control for level-1 logical clouds #10

Open
BaudouinH opened this issue Apr 8, 2021 · 1 comment
Open

[Enhancement Request] More complete Access Control for level-1 logical clouds #10

BaudouinH opened this issue Apr 8, 2021 · 1 comment

Comments

@BaudouinH
Copy link

Hello,

I'm currently using a level-1 logical cloud to deploy Prometheus Operator.

The manifest is as follow:

version: emco/v2
resourceContext:
  anchor: projects/{{.ProjectName}}/logical-clouds
metadata:
  name: {{.PrometheusCloud}}
spec:
  namespace: prometheus
  user:
    user-name: emco
    type: certificate
    user-permissions:
    - permission-name: prometheus-permission
      apiGroups:
      - ""
      - "apps"
      - "k8splugin.io"
      - "monitoring.coreos.com"
      - "rbac.authorization.k8s.io"
      - "admissionregistration.k8s.io"
      - "batch"
      - "policy"
      - "apiextensions.k8s.io"
      resources:
      - secrets
      - pods
      - configmaps
      - services
      - deployments
      - resourcebundlestates
      - servicemonitors
      - podsecuritypolicies
      - serviceaccounts
      - rolebindings
      - roles
      - clusterroles
      - clusterrolebindings
      - validationwebhookconfigurations
      - mutatingwebhookconfigurations
      - jobs
      - prometheusrules
      - alertmanagers
      - alertmanagerconfigs
      - customresourcedefinitions
      - daemonsets
      - prometheus
      - prometheusrules
      verbs:
      - get
      - watch
      - list
      - create

Contrary to a role's definition, I cannot declare rules for a specific apiGroup/resource/verbs, like this for example:

kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: mynamespace-user-full-access
  namespace: mynamespace
rules:
- apiGroups: ["", "extensions", "apps"]
  resources: ["*"]
  verbs: ["*"]
- apiGroups: ["batch"]
  resources:
  - jobs
  - cronjobs
  verbs: ["*"]

Furthermore, it is not clear if the logical-cloud's user permissions are cluster-wide or namespace-wide only.

I think implementing rules like a Kubernetes role, with a distinction for cluster-wide or namespace-wide permissions, could be a useful feature.
@igordcard
Copy link
Contributor

Hi @BaudouinH, thank you.
The permissions are currently namespace-wide only - for the namespace specified in the logical cloud. We are planning an enhancement in the future that will address this gap.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@igordcard @BaudouinH