kubernetes-sigs / container-object-storage-interface-api

Container Object Storage Interface (COSI) API responsible to define API for COSI objects.
Apache License 2.0
63 stars 28 forks source link

Allow administrators to limit which Bucket(Access)Classes users can use #107

Open BlaineEXE opened 3 hours ago

BlaineEXE commented 3 hours ago

Admins should have a way to limit which BucketClasses and BucketAccessClasses that certain users (namespaces) can use. This can be broken down into 2 parts:

The latest prior art in the Kube ecosystem is Pod Security Admission and Resource Quotas -- and of course RBAC

None of the above tools allow us to limit the references that are allowed in BClaims/BAccesses. However, admins can rely on Resource Quotas and RBAC to limit whether namespaces are allowed to create BClaims/BAccesses, and how many can be created. We should rely on existing mechanisms where possible, so we will not plan to implement tools for those limitations.

From our current understanding, there are no KEPs currently that are attempting to address broadly-applicable control of references. We could attempt to start such a KEP if we want to.

We may wish to implement a mechanism in COSI that will allow us to give administrators control over user consumption of COSI resources during COSI's early phases (right now). We should do our best to implement this mechanism in such a way that it can be easily replaced with a broadly-applicable implementation in the future.

Note 18 July 2024: approach sig-auth for suggestions about implementation/design

BlaineEXE commented 3 hours ago

sig-auth may have thoughts about how to do this