Description of the feature you would like to add / User story
As a KKP admin, I would like the functionality to explicitly block any updates/deletion operations on enforced Applications and the resources that are installed against those Applications.
Currently, we rely on KKP to reconcile and re-create/re-sync the state of the Application in case someone modifies it, but this is not ideal. We should block any requests to update/delete the enforced applications right away instead of relying on KKP to restore the state.
From @SimonTheLeg:
Maybe blocking it outright is a bit more user-friendly as they get an error message + saves us some resources on reconciling in case they start deleting/modifying over and over again.
This, however, is not that straightforward to implement. We need a clear distinction between who can and who can't update/delete the applications. For example, default-application-controller would still be able to update and in the future delete the enforced Applications. If you enforce an application but afterward remove the enforcement, your controllers should be aware that this application is no longer enforced and allow all CRUD operations against this.
At first, I tried implementing something like https://github.com/kubermatic/kubermatic/pull/13284 but that didn't help. It's nice to prevent "accidental deletes", which is it's purpose. But in our case, some miscreant actor can simply remove the annotation and then delete the resources.
I find this as a good use case for a tool like Kyverno that is built for such scenarios. A simple policy can prevent users not belonging to a group, or a dedicated user, from update/delete operations on Objects with the appropriate labels.
Current Status
With https://github.com/kubermatic/kubermatic/pull/13644, the enforced application cannot be deleted now. But we still don't block updates on the enforced ApplicationInstallation or deletion of its resources. Any such change will be reverted by KKP though.
Description of the feature you would like to add / User story
As a KKP admin, I would like the functionality to explicitly block any updates/deletion operations on enforced Applications and the resources that are installed against those Applications.
Currently, we rely on KKP to reconcile and re-create/re-sync the state of the Application in case someone modifies it, but this is not ideal. We should block any requests to update/delete the enforced applications right away instead of relying on KKP to restore the state.
From @SimonTheLeg:
This, however, is not that straightforward to implement. We need a clear distinction between who can and who can't update/delete the applications. For example,
default-application-controller
would still be able to update and in the future delete the enforced Applications. If you enforce an application but afterward remove the enforcement, your controllers should be aware that this application is no longer enforced and allow all CRUD operations against this.At first, I tried implementing something like https://github.com/kubermatic/kubermatic/pull/13284 but that didn't help. It's nice to prevent "accidental deletes", which is it's purpose. But in our case, some miscreant actor can simply remove the annotation and then delete the resources.
I find this as a good use case for a tool like Kyverno that is built for such scenarios. A simple policy can prevent users not belonging to a group, or a dedicated user, from update/delete operations on Objects with the appropriate labels.
Current Status
With https://github.com/kubermatic/kubermatic/pull/13644, the enforced application cannot be deleted now. But we still don't block updates on the enforced ApplicationInstallation or deletion of its resources. Any such change will be reverted by KKP though.