Cross Namespace Event Links

[Cali0707]

Problem There have been many requests for triggers to be in different namespaces than brokers (see #7439, #6577, #5139). If we are to add this feature, it makes sense to add it for the other main "event link": the subscription.

The feature track can be seen here

Persona: Administrators, developers

Exit Criteria Alpha:

• [ ] Feature flag is added
• [ ] Triggers are able to refer to brokers in another namespace
• [ ] Subscriptions are able to refer to channels in another namespace
• [ ] Basic E2E tests showing the creation of triggers and subscriptions with appropriate auths and events flowing
• [ ] Basic E2E tests showing that creation of triggers and subscriptions without appropriate auths fails

Beta:

• [ ] More comprehensive E2E testing
• [ ] Enable the new RBAC verb by default, without enabling the authentication of the RBAC verb
• [ ] Communications with community members on how they will need to add the new RBAC “knsubscribe” verb to their RBAC setup

GA:

• [ ] Conformance tests
• [ ] Enabled by default

[Cali0707]

cc @pierDipi

[sadath-12]

Hi @Cali0707 . I am interested in solving this issue for upcoming LFX program

[jonathan-innis]

I wonder if there is any prior art that can be pulled from here: https://gateway-api.sigs.k8s.io/api-types/referencegrant/ rather than updating existing k8s RBAC verbiage.

[sadath-12]

Thank you @jonathan-innis for joining us in getting the best solution for this . So to summarize it

---

so , basically the owner of creating trigger and broker who has access to both the namespace would first create a ReferenceGrant sort of resource that would allow to refer each other resources . so coming to the case where the non-creator user would have the permission to do get request on trigger and can describe the defination to see broker exists in other namespace he still cant do anything since its the ReferenceGrant that makes the connection decision . for example if a user with get permission on trigger in test1 namespace see broker with name xyy exists in test2 namespace he can't go ahead and create trigger in other namespace and refer to that broker because the RefrenceGrant would not allow that failing the from condition .so basically it would be useless for him to know that particular resource exist

[pierDipi]

Reference Grant is interesting, there is a core k8s KEP too https://github.com/kubernetes/enhancements/tree/master/keps/sig-auth/3766-referencegrant

[octonawish-akcodes]

I am also interested in this issue.

[btwshivam]

i am writing to express my excitement and gratitude for the upcoming mentorship during the 2024 Term 01. The prospect of being guided by someone of your caliber is truly inspiring, and I look forward to the growth and learning this experience will undoubtedly bring.

As we embark on this mentorship journey, I am eager to gain insights from your expertise and delve into the hands-on projects that will shape my understanding of the field. The anticipation of collaborating with like-minded peers and the expectation of a supportive learning environment have already fueled my enthusiasm.

I am confident that your mentorship will provide not only technical knowledge but also invaluable insights into the broader aspects of the industry. I appreciate the opportunity and am ready to make the most of this learning experience.

Thank you in advance for your guidance, and I look forward to the exciting and enriching journey ahead.

[deepak4566]

hey @pierDipi @Cali0707 im pretty much interested in this issue for upcoming LFX program and i do have experience of handling client go ,api machinery and building out kubernetes operators and admission controllers , i'm trying to learn about kafka and knative now and apply them .

[pierDipi]

For anyone interested in participating in LFX mentorship program, please share a feature track / design document using the mentors' emails so that we know what's your design idea for the solution, you can use the Knative feature track templates here https://docs.google.com/document/d/1FvezfvBghevCRoZUmN3SoTVtm6f_u_r5f94MEa4jNIA/edit

[pierDipi]

There is an update on the reference grant KEP https://github.com/kubernetes/enhancements/pull/4387

[prakrit55]

Hey @Cali0707 @pierDipi, I am interested for the upcoming lfx mentorship term, about it. How do you think the knsubscribe will get added as a new RBAC verb, is it expected to be configured in the webhook-clusterrole.yml and then using it ?

[yijie-04]

/assign

[github-actions[bot]]

This issue is stale because it has been open for 90 days with no activity. It will automatically close after 30 more days of inactivity. Reopen the issue with /reopen. Mark the issue as fresh by adding the comment /remove-lifecycle stale.

[Cali0707]

/remove-lifecycle stale /triage accepted