enable RBAC filtering in assets

[jessegoodier]

What problem are you trying to solve?

currently RBAC allows for filtering in cost allocation. Customer requesting filtering in assets as well.

Ideally insure all saving and advanced reports adhere to filters as well.

Describe the solution you'd like

Customer has stated: "We have a bunch of groups and every group should have access to exactly one cluster. Also in every cluster we want to exclude visibility to a few namespaces."

The primary focus for the next revision could be on namespaces and clusters.

Describe alternatives you've considered

Gave other options for using the API to pull data into other dashboard, but kubecost UI has other valuable features.

How would users interact with this feature?

filters.json configmap

┆Issue is synchronized with this Jira Task by Unito

[dwbrown2]

I definitely see value in this, but I think there's some design needed here to do this well. Here are some open questions IMO:

• How do we communicate to users that a filter is being applied? Proposal is that settings should inform but we may need more.
• What happens if someone filters to say just S3 data with a specific label? Does that mean Allocation shows nothing?
• What happens when an Allocation and and Asset filter conflict or overlap? Do we respect both?
• How we make this easy for users to manage? I propose we might need some sort of visual manager for complex rules

Another approach would be to limit user access to very specific reports. @jessegoodier I'm curious have you heard a very specific situation that user(s) have in mind? Also, my understanding is that we currently support limiting visibility to specific clusters and namespace (in Allocation view)

[mmurph3]

+1

[mmurph3]

Customer feedback: Feature for adding groups of annotations/labels to RBAC filter groups in assets and allocations page. This is a blocker in prod.

[MrJW27]

@mmurph3 - Thomas is working to reproduce this issue, and we should have updates within a week or so

[dwbrown2]

@mmurph3 @jessegoodier do you guys have any more details on the top use cases you're seeing right now?

When I see this, it sounds like this would be filtering on k8s data, but I believe the main focus is on filtering cloud assets.

Customer has stated: "We have a bunch of groups and every group should have access to exactly one cluster. Also in every cluster we want to exclude visibility to a few namespaces."

[jessegoodier]

This has come up a couple more times. Most specifically with "service providers."

The general concern is that they would like to provide the "end users" access to the kubecost UI and they absolutely do not want them to access things that aren't specific to that customer.

The current alternative is for them to pull from the API into another tool.

For the service providers, there may be a potential need to hide all /savings and /settings (primary use case visibility)

For some, they would want /savings to be specific to the resources that the user is allowed to view.

[jessegoodier]

also some overlap here: https://github.com/kubecost/cost-analyzer-helm-chart/issues/1574#issuecomment-1197109170

[github-actions[bot]]

This issue has been marked as stale because it has been open for 360 days with no activity. Please remove the stale label or comment or this issue will be closed in 5 days.

[github-actions[bot]]

This issue was closed because it has been inactive for 365 days with no activity.

[chipzoller]

Transferred to appropriate repository.

[ecda909]

@chipzoller Which repository did this transfer to exactly?

[chipzoller]

features-bugs

[ecda909]

@chipzoller Do we know if this still being worked on? I'm trying to see if there is similar functionality in place for OIDC method like the Custom access roles (filters.json) for SAML...

[chipzoller]

It doesn't look like this is currently being worked on internally though we do have a feature request logged for it.

[dwbrown2]

Hi @ecda909, we're doing some related work on OIDC and plan to add more soon. Any interest in discussing your use case? Would love to get you connect with @kwombach12 if so!

[ecda909]

@dwbrown2 Yeah, that'd be great!