-
Feature
-
Resolution: Unresolved
-
Critical
-
None
-
None
-
BU Product Work
-
False
-
-
False
-
-
100% To Do, 0% In Progress, 0% Done
-
0
Feature Overview (aka. Goal Summary)
Workload identity is a key part of the zero-trust model. The SPIRE project aims to simplify the management and distribution of workload identities in the form of cryptographically verifiable identity documents. There is an increasing interest and uptake in this space within the Cloud native ecosystem. The goal is to give customers a practical and scalable way to establish trust in a multi-cloud, multi-platform environment. It will strengthen OpenShift’s security capabilities and value-add as organizations harden their security policies.
Support SPIRE integration with Kessel Operator
SPIRE operator deployments in Edge and disconnected clusters.
Goals (aka. expected user outcomes)
SPIRE Operator integrates with Kessel to provide Workload identity authentication with fine-grained Relationship-based access control from Kessel
Requirements (aka. Acceptance Criteria):
| Activity | Dependency | Contacts |
| SPIRE Operator integrates with Kessel to provide Workload identity authentication with fine-grained Relationship-based access control from Kessel | Support from HCC team for Integration testing with Kessel | Alec Henninger Ryan Abbott |
__
Anyone reviewing this Feature needs to know which deployment configurations that the Feature will apply to (or not) once it's been completed. Describe specific needs (or indicate N/A) for each of the following deployment scenarios. For specific configurations that are out-of-scope for a given release, ensure you provide the OCPSTRAT (for the future to be supported configuration) as well.
| Deployment considerations | List applicable specific needs (N/A = not applicable) |
| Self-managed, managed, or both | Y |
| Classic (standalone cluster) | Y |
| Hosted control planes | Y |
| Multi node, Compact (three node), or Single node (SNO), or all | |
| Connected / Restricted Network | |
| Architectures, e.g. x86_x64, ARM (aarch64), IBM Power (ppc64le), and IBM Z (s390x) | |
| Operator compatibility | |
| Backport needed (list applicable versions) | |
| UI need (e.g. OpenShift Console, dynamic plugin, OCM) | |
| Other (please specify) |
Use Cases (Optional):
Include use case diagrams, main success scenarios, alternative flow scenarios. Initial completion during Refinement status.
<To be added>
Questions to Answer (Optional):
From Alec Henninger There is just one "user" type for all service accounts/workloads or human users in Kessel. This is so that there is no special casing of access set up – an identity is an identity. A thing gets permissions or it doesn't.
However, all identities are also namespaced by their "issuer". So for example SPIFFE identities could be prefixed with a certain SPIRE issuer. That way they can be assigned permissions / permissions checked like any other user.
Out of Scope
High-level list of items that are out of scope. Initial completion during Refinement status.
<your text here>
Background
Provide any additional context is needed to frame the feature. Initial completion during Refinement status.
<your text here>
Customer Considerations
Provide any additional customer-specific considerations that must be made when designing and delivering the Feature. Initial completion during Refinement status.
<your text here>
Documentation Considerations
Provide information that needs to be considered and planned so that documentation will meet customer needs. If the feature extends existing functionality, provide a link to its current documentation. Initial completion during Refinement status.
<your text here>
Interoperability Considerations
Which other projects, including ROSA/OSD/ARO, and versions in our portfolio does this feature impact? What interoperability test scenarios should be factored by the layered products? Initial completion during Refinement status.
<your text here>
- clones
-
-
- New
-
- is cloned by
-
-
- New
-
