BUILD-348: update shared resource via CSI Driver proposal#901
Conversation
gabemontero
force-pushed
the
csi-shared-resource-chg-sar-verb
branch
from
eddf2c8 to
0f95b68
Compare
gabemontero
force-pushed
the
csi-shared-resource-chg-sar-verb
branch
from
0f95b68 to
1f09b94
Compare
| And for controlling which human users can list or inspect the `SharedResources` available on a cluster: | ||
|
|
||
| ```yaml | ||
| rules: | ||
| - apiGroups: | ||
| - storage.openshift.io | ||
| resources: | ||
| - shareresources | ||
| verbs: | ||
| - list | ||
| - watch | ||
| - get |
There was a problem hiding this comment.
I think there is an argument to be made that this cluster role should be installed by the operator and aggregated to the user-facing "edit" role [1]:
- Edit users are assumed to create and manage workloads. By their very nature they are granted a high level of trust.
- Edit users are the primary audience who need to be able to discover shared resources.
- The details embedded in a SharedResource are IMO pseduo-sensitive, equivalent to a network IP address. The object can divulge the potential existence of a Secret/ConfigMap in another namespace. However the object does not provide full details of truly sensitive information contained in a Secret.
I really do like this solution with the use verb - it succeeds in separating usage of the shared resource with the discovery of the shared resource. I can envision a SharedResource to be secured as follows:
- Admins have full permissions (
*verb) - Editors have (
get,list), thereby can discover theSharedResources - Editors can request that a service account be granted the
usepermission. Admin configures the appropriate cluster rolebinding. - Editors can then deploy a workload which uses the shared resource.
[1] https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles
adambkaplan
left a comment
adambkaplan
left a comment
There was a problem hiding this comment.
/lgtm
Not sure if we want the api discussion to block merge - IMO we can keep this as an open question and submit a follow-up PR once we've come to agreement.
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: adambkaplan The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
Bot
added
the
approved
|
@deads2k @jsafrane - just chatted with @adambkaplan on slack, and he did not intend to merge this PR with his lgtm if you all have cycles to still look at this, I'll take whatever comments you have and craft a follow up PR to incorporate them thanks |
5 participants
/assign @adambkaplan
/assign @deads2k
/assign @jsafrane
@coreydaley FYI
A refresh on out EP stemming from:
If the reference helps, openshift/csi-driver-shared-resource#51 includes changes articulated here (a POC if you will), as well as the latest version of @coreydaley 's openshift/api#979 but applied to the current in-repo API (i.e. the thing we want to migratate to https://github.com/openshift/api as part of getting this enhancement in the OCP payload).
As always, thanks everyone for prior collaboration that led to this PR, and the upcoming comments from you all once you get the cycles to review