[Enhancement Request] More complete Access Control for level-1 logical clouds

[BaudouinH]

Hello,

I'm currently using a level-1 logical cloud to deploy Prometheus Operator.

The manifest is as follow:

version: emco/v2
resourceContext:
  anchor: projects/{{.ProjectName}}/logical-clouds
metadata:
  name: {{.PrometheusCloud}}
spec:
  namespace: prometheus
  user:
    user-name: emco
    type: certificate
    user-permissions:
    - permission-name: prometheus-permission
      apiGroups:
      - ""
      - "apps"
      - "k8splugin.io"
      - "monitoring.coreos.com"
      - "rbac.authorization.k8s.io"
      - "admissionregistration.k8s.io"
      - "batch"
      - "policy"
      - "apiextensions.k8s.io"
      resources:
      - secrets
      - pods
      - configmaps
      - services
      - deployments
      - resourcebundlestates
      - servicemonitors
      - podsecuritypolicies
      - serviceaccounts
      - rolebindings
      - roles
      - clusterroles
      - clusterrolebindings
      - validationwebhookconfigurations
      - mutatingwebhookconfigurations
      - jobs
      - prometheusrules
      - alertmanagers
      - alertmanagerconfigs
      - customresourcedefinitions
      - daemonsets
      - prometheus
      - prometheusrules
      verbs:
      - get
      - watch
      - list
      - create

Contrary to a role's definition, I cannot declare rules for a specific apiGroup/resource/verbs, like this for example:

kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: mynamespace-user-full-access
  namespace: mynamespace
rules:
- apiGroups: ["", "extensions", "apps"]
  resources: ["*"]
  verbs: ["*"]
- apiGroups: ["batch"]
  resources:
  - jobs
  - cronjobs
  verbs: ["*"]

Furthermore, it is not clear if the logical-cloud's user permissions are cluster-wide or namespace-wide only.

I think implementing rules like a Kubernetes role, with a distinction for cluster-wide or namespace-wide permissions, could be a useful feature.

[igordcard]

Hi @BaudouinH, thank you. The permissions are currently namespace-wide only - for the namespace specified in the logical cloud. We are planning an enhancement in the future that will address this gap.