Uploaded image for project: 'OpenShift Builds'
  1. OpenShift Builds
  2. BUILD-1226

Simplify RBAC for Shared Resources

XMLWordPrintable

    • Icon: Epic Epic
    • Resolution: Unresolved
    • Icon: Normal Normal
    • None
    • None
    • shared-resources
    • None
    • Simplify RBAC for Shared Resources
    • False
    • Hide

      None

      Show
      None
    • False
    • Not Selected
    • To Do
    • SECFLOWOTL-227 - Improve RHEL Subscription Content Experience for Builds

      Epic Goal

      Simplify the Shared Resources RBAC experience so that cluster admins do not need to create nearly as many (Cluster)Roles and RoleBindings.

      Why is this important?

      The current procedure to set up a SharedSecret or SharedConfigMap requires cluster admins to create multiple RBAC objects in sequence - namely:

      1. Create ClusterRole to use the resource
      2. Create Role/RoleBinding for Shared Resource CSI Driver to access the underlying Secret/ConfigMap
      3. Create RoleBinding for service accounts.

      Of these, the first two can absolutely be managed by a separate controller for SharedSecret/SharedConfigMap objects. For item 3, we can extend the SharedSecret/SharedConfigMap API to let customers aggregate the generated ClusterRole to a user-facing role. For example, aggregate the entitlement secret access to the "edit" or "admin" user-facing roles.

      Scenarios

      1. As a cluster admin, I want Builds for OpenShift to create a ClusterRole for any SharedSecret and SharedConfigMap object so that it is easier for platform teams/namespace admins to use a Shared resource object in a workload
      2. As a cluster admin, I want Builds for OpenShift to create the Role/RoleBinding for the Shared Resource CSI driver so that I reduce toil maintaining SharedSecret and SharedConfigMap objects.
      3. As a cluster admin, I want managed RBAC for Shared Resources to work with existing RBAC I created by hand in prior releases.
      4. As a cluster admin, I want to aggregate the ClusterRole for shared secrets to user-facing roles on my cluster, so that I do not need to create RoleBindings for every user and service account that needs it.

      Acceptance Criteria (Mandatory)

      • CI - MUST be running successfully with tests automated
      • Release Technical Enablement - Provide necessary release enablement details and documents.
      • ...

      Dependencies (internal and external)

      1. ...

      Previous Work (Optional):

      Open questions::

      Done Checklist

      • Acceptance criteria are met
      • Non-functional properties of the Feature have been validated (such as performance, resource, UX, security or privacy aspects)
      • User Journey automation is delivered
      • Support and SRE teams are provided with enough skills to support the feature in production environment

              Unassigned Unassigned
              adkaplan@redhat.com Adam Kaplan
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated: