Prior to this change in spaces, authentication to a control plane supported using the the Kubernetes RBAC of the hub cluster. This meant as long as you used a cluster-admin to authenticate to the hub cluster, you could re-use those same credentials to authenticate to any of the control planes.
After that change, we expect that all authentication would go through Upbound IAM/RBAC by default. As such, ability to use Kubernetes RBAC was changed from opt-out to opt-in (breaking backward compatibility). However, Upbound IAM is only supported after connecting a space to cloud and the workflow for authenticating connected spaces is not yet ready. Therefore users cannot connect to any control planes from a spaces cluster running with the default values from version 1.3.1+.
This change opts-in to the Kubernetes RBAC values, rolling back to the previous default authn/authz model. These defaults should be reverted once support for connecting to control planes in connected spaces works end-to-end.
[x] Run make reviewable to ensure this PR is ready for review.
[ ] Added backport release-x.y labels to auto-backport this PR, as appropriate.
How has this code been tested
Running up space init --token-file=${userHome}/Keys/orchestration-build-b2e221ce1547.json v1.4.0-rc.0.40.gd33e4eb4 --set=account=upbound produces the following helm values:
Description of your changes
Prior to this change in spaces, authentication to a control plane supported using the the Kubernetes RBAC of the hub cluster. This meant as long as you used a
cluster-admin
to authenticate to the hub cluster, you could re-use those same credentials to authenticate to any of the control planes.After that change, we expect that all authentication would go through Upbound IAM/RBAC by default. As such, ability to use Kubernetes RBAC was changed from opt-out to opt-in (breaking backward compatibility). However, Upbound IAM is only supported after connecting a space to cloud and the workflow for authenticating connected spaces is not yet ready. Therefore users cannot connect to any control planes from a spaces cluster running with the default values from version 1.3.1+.
This change opts-in to the Kubernetes RBAC values, rolling back to the previous default authn/authz model. These defaults should be reverted once support for connecting to control planes in connected spaces works end-to-end.
I have:
make reviewable
to ensure this PR is ready for review.backport release-x.y
labels to auto-backport this PR, as appropriate.How has this code been tested
Running
up space init --token-file=${userHome}/Keys/orchestration-build-b2e221ce1547.json v1.4.0-rc.0.40.gd33e4eb4 --set=account=upbound
produces the following helm values:And
up ctx
can now connect to the control plane just like before: