search

sighupio / permission-manager

Permission Manager is a project that brings sanity to Kubernetes RBAC and Users management, Web UI FTW
https://sighup.io/
BSD 3-Clause "New" or "Revised" License
1.3k stars 172 forks source link

Feature: allow flexible subjects for clusterrolebindings/rolebindings #41

Open stjudecloud-cloudy opened 4 years ago

stjudecloud-cloudy commented 4 years ago

In Azure AKS users can have access granted by either by their AD group membership, or directly using AD user ID. It would be extremely useful, if user access management could be done using permission-manager.

In order to achieve it, it would be necessary to allow different kind of subjects for both clusterrolebinding and rolebinding. This is an example of clusterrolebinding used for assigning RBAC to AD group:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: test
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-developer
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: id-redacted

Similarly kind: User can be used to grant a specific user access to Kubernetes using RBAC. Ideally, web interface should allow creation of different kind of subjects and used created subjects for access grants.

angelbarrera92 commented 4 years ago

Uhmm we have to analyze it. Currently, when a permissionmanageruser is created, then a serviceaccount is created too. So all bindings stick to the serviceaccount subject.

Changes to 🔝 behaviour is a major change that we have to evaluate, but we understand the situation.

sandeepcp commented 2 years ago

This is just creating a service account. We would like to see more functionality like Role Role bindings As per the document, service account is just for application and jobs