Open ncdc opened 2 years ago
We also likely will need a way for kcp platform admins and/or kcp controllers to fully own resources in user workspaces. Depending on the solution for this issue, we may or may not need to create a separate issue for this use case.
Notably, this needs to work not only for the GRs that are exported in the APIExport, but also other namespaces that exist in the workspace (and are part of permission claims)
note to myself: augmenting https://docs.google.com/document/d/1CB3QEyn90u_S6q_teOoWtk0f_Dp0Obo9JH2AUGbifPg/edit# with a very first sketch but i want to create a separate doc.
Moved to v0.11 as we are still finalizing the API
/milestone v0.12
Feature Description
As an API provider (i.e. the owner of an APIExport), I want full control over certain resources in a consumer's workspace, and not even a user with cluster-admin permissions in the consumer's workspace is allowed to edit these resources.
For example, an API provider that exports a Queue API resource might want to create a ResourceQuota instance that limits the number of Queues that a user can create in their workspace. The user must not be able to edit this ResourceQuota.
Proposed Solution
Will defer to @s-urbaniak 😄
Alternative Solutions
No response
Want to contribute?
Additional Context
xref https://github.com/kcp-dev/kcp/issues/1061#issuecomment-1137091541