Service Binding for operator-backed services

[sbose78]

• [x] Add details about existing work
• [x] Advanced configuration
• [x] Bill of materials
• [x] Permissions
• [ ] Migration strategy: Bringing a non Operator Framework project into Operator Framework
• [ ] Roadmap

[sbose78]

@dmesser @ecordell I've made some progress with the proposal with 20% remaining, do you mind taking a look and helping me with early feedback if the format and content of the proposal makes sense? Let me know if there's something explicitly I should be adding.

CC @siamaksade

[dmesser]

@sbose78 Thank you. Can you add some information about the following:

• the "bill of materials" for the service binding operator itself
• how the process of Service Binding factors in RBAC

[sbose78]

Thank you. I am working to define a specification as well ( early stage, needs work ) along with a plan for the first wave of adopters . I'll update this with the new information!

[sbose78]

We made agreements on what the specification could look like https://github.com/application-stacks/service-binding-specification and stabilized it for the time being.

Based on the conversations, I will be updating the proposal and taking it to completion.

[sbose78]

Removed WIP, there are a few additions I'll make along the way, however it is ready for a detailed review now.

[sbose78]

How do avoid that a user that normally doesn't have the privileges to read bindable fields can misuse the Service Binding Operator to get those injected into a resource they have access to?

I'll add the section, thank you @dmesser !

We'll be doing Subject Access Review checks using a validating webhook - it isn't supported yet, but we have an epic on our backlog https://issues.redhat.com/browse/APPSVC-546

If there's anything that needs to be prioritized to ensure the transition is smooth, we shall prioritize.

[shawn-hurley]

Do we want this apart of the default OLM install for upstream install of OLM?

[sbose78]

Do we want this apart of the default OLM install for upstream install of OLM?

@dmesser @siamaksade I'll need you to weigh in on this.

[baijum]

Thank you. I am working to define a specification as well ( early stage, needs work ) along with a plan for the first wave of adopters . I'll update this with the new information!

The specification @sbose78 mentioned has moved here: https://github.com/k8s-service-bindings/spec Also, Red Hat's Service Binding Operator is no more conforming to the spec. Current the only spec-compliant implementation is from VMWare: https://github.com/vmware-labs/service-bindings I have a side project which is aiming for core-spec compliance with few extensions: https://github.com/kubepreset/kubepreset (demo)

[baijum]

I have a side project which is aiming for core-spec compliance with few extensions: https://github.com/kubepreset/kubepreset (demo)

Update: I stopped working on my side-project for now.

The spec is now part of a Kubernetes SIG: https://github.com/kubernetes-sigs/service-catalog/issues/2857

[bparees]

@sbose78 i am struggling to understand what this is proposing, vs what exists already in SBO + OLM.

It talks about several different apis/annotations for specifying bindings, some generic and some specific to operators. Can you rework this to make it clearer which part is "background info" about how things work today, and which parts are the actual proposed enhancements?

It would also help if it was clearer whether this is proposing changes just in OLM, changes just in SBO, or both.

[sbose78]

Yes, this enhancement proposal needs some maintenance since this was a while ago. I'm on it!

[sbose78]

@bparees I've updated the proposal to reflect the current state of SBO accurately.