Uploaded image for project: 'Red Hat Advanced Cluster Management'
  1. Red Hat Advanced Cluster Management
  2. ACM-28982

ACM provide option to manage spoke-cluster with hub having limited permissions

XMLWordPrintable

    • Icon: Feature Feature
    • Resolution: Unresolved
    • Icon: Major Major
    • None
    • None
    • None
    • False
    • Hide

      None

      Show
      None
    • False
    • Not Selected

      Feature Overview

      There are some customers (and some patterns) which claim that by default a hub cluster has too many permissions.
      Currently when you import Managed-Clusters, several Service-accounts are deployed which has Cluster-Admin permissions.

      When a managed cluster is imported, the agents (Klusterlet) and add-ons deploy several ServiceAccounts. Here they are with short descriptions:

      Core Klusterlet Agents

      • klusterlet-registration-sa: Manages cluster registration, certificate rotation, and heartbeat reporting to the Hub.
      • klusterlet-work-sa: Executes tasks sent from the Hub (via ManifestWork); holds cluster-admin to create/modify any resource on the Spoke.

      Governance & Policy Add-ons

      • config-policy-controller-sa: Scans the Spoke cluster to check if resources comply with Hub-defined policies.
      • governance-policy-framework-sa: Aggregates policy compliance status and sends reports back to the Hub.
      • cert-policy-controller-sa: Specifically monitors the Spoke for expiring or non-compliant SSL/TLS certificates.
      • iam-policy-controller-sa: Monitors and reports on RBAC and identity management compliance.

      Application & Observability Add-ons

      • application-manager-sa: Deploys and manages lifecycle for applications (Subscriptions/GitOps) on the Spoke.
      • search-collector-sa: Collects metadata of all cluster resources to provide a searchable inventory on the Hub UI.
      • work-manager-sa: Provides the status feedback loop for work-related tasks and API responses to the Hub.

      Other Utilities

      • managed-serviceaccount-sa: (If enabled) Manages the lifecycle and token rotation of custom service accounts projected from the Hub.

      This means the Hub has 100% control over any object on a Managed-Cluster.

      For Applications a custom ClusterPermission can be set and this could be even set to read-only permissions.
      Here you see an example how ClusterPermission is configured:
      https://docs.redhat.com/en/documentation/red_hat_advanced_cluster_management_for_kubernetes/2.15/html-single/gitops/index#using-policy

      We look for options there the Hub does still manage Spoke-Clusters, can e.g. do some specific API call, can see certain things but there are clear, configurable boundaries. A boundary is likely that the Hub does not have ClusterAdmin permission at all on the Managed-Clusters , maybe just on a some certain namespace.

      The option should be available:

      • During Import: The user provides a specific Role or ClusterRole name that the Klusterlet should assume.
      • Post-Import: This should be "Day 2" configurable via the ManagedCluster or KlusterletAddonConfig CRDs (Custom Resource Definitions).

       

      If a Managed-Cluster uses this restricted mode it needs to be clearly highlighted in the UI

       

      This read only Management layer would also fit will to Global-Hub scenarios.

       

       

      ...

       

      Goals

      This Section: Provide high-level goal statement, providing user context
      and expected user outcome(s) for this feature

      Requirements

      This Section: A list of specific needs or objectives that a Feature must
      deliver to satisfy the Feature.. Some requirements will be flagged as MVP.
      If an MVP gets shifted, the feature shifts. If a non MVP requirement slips,
      it does not shift the feature.

      Requirement Notes isMvp?
      CI - MUST be running successfully with test automation This is a
      requirement for ALL features.      		 YES
      Release Technical Enablement Provide necessary release enablement details
      and documents.      		 YES

      (Optional) Use Cases

      This Section:

      • Main success scenarios - high-level user stories
      • Alternate flow/scenarios - high-level user stories
      • ...

      Questions to answer

      • ...

      Out of Scope

      Background, and strategic fit

      This Section: What does the person writing code, testing, documenting
      need to know? What context can be provided to frame this feature?

      Assumptions

      • ...

      Customer Considerations

      • ...

      Documentation Considerations

      Questions to be addressed:

      • What educational or reference material (docs) is required to support this
        product feature? For users/admins? Other functions (security officers, etc)?
      • Does this feature have a doc impact?
      • New Content, Updates to existing content, Release Note, or No Doc Impact
      • If unsure and no Technical Writer is available, please contact Content
        Strategy.
      • What concepts do customers need to understand to be successful in
        [action]?
      • How do we expect customers will use the feature? For what purpose(s)?
      • What reference material might a customer want/need to complete [action]?
      • Is there source material that can be used as reference for the Technical
        Writer in writing the content? If yes, please link if available.
      • What is the doc impact (New Content, Updates to existing content, or
        Release Note)?

              Unassigned Unassigned
              rhn-support-cstark Christian Stark
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated: