Uploaded image for project: 'OpenShift Container Platform (OCP) Strategy'
  1. OpenShift Container Platform (OCP) Strategy
  2. OCPSTRAT-550

OLM v1: Ability to configure user/group permissions to provided APIs (a part of F12)

XMLWordPrintable

    • Strategic Product Work
    • False
    • Hide

      None

      Show
      None
    • False
    • OCPSTRAT-27OLM V1: Operators, Operator Lifecycle Management, and Operator Hub
    • 100% To Do, 0% In Progress, 0% Done
    • 0
    • Backlog Refinement

      Feature Overview

      This phase focuses on introducing finer controls over permission/access management to APIs provided by operators, while the “discoverability control of the installed extensions/operators” piece of feature F12 will be tackled in the future.

      OLM 1.0 provides more control to administrators to regulate how the services/APIs provided by the installed operators are usable by tenants.

      • (which is separate from the controls where the operator has permissions to operate, see F13 in OCPSTRAT-393).

      Goals

      • Administrators can choose between “legacy OLM v0 mode (do what OLM v0 does)”, “managed (full control)”, and “unmanaged (do nothing)” over permissions to the APIs provided by an operator API.
      • Enable Administrators to apply the least-privilege principle with the “managed (full control)” option allowing fine-grained permissions configuration, letting administrators specify namespaces, users, groups, APIs, and specific permissions for each.
      • Whenever administrators modify an operator’s permissions configuration, OLM 1.0 constantly keeps the system up to date.
      • Enable tenants to use services/APIs provided by an installed extension by OLM 1.0’s automating permission management.

      Requirements

      Requirement Notes isMvp?
      Administrators can use Operator CR to specify a mutually exclusive permission management mode (e.g., legacy, managed, or unmanaged).    YES
      Administrators can use Operator CR to retain the UX as in OLM v0 by specifying legacy as the permission management mode.
      • A user in a namespace with view permissions may only get/list/watch the operator’s namespace-scoped APIs.
      • A user with cluster-wide view permissions may get/list/watch both the operator’s namespace- and cluster-scoped APIs
      • A user in a namespace with edit permissions may only get/list/watch/create/update/patch/delete/deletioncollection the operator’s namespace-scoped APIs
      • A user with cluster-wide edit permissions may get/list/watch/create/update/patch/delete/deletioncollection both the operator’s namespace- and cluster-scoped APIs
      • A user in a namespace with admin permissions may perform all verbs on the operator’s namespace-scoped APIs
      • A user with cluster-wide admin permissions may perform all verbs on the operator’s namespace- and cluster-scoped APIs
      		 YES
      Administrators can use Operator CR to opt in the new finer-grained permission management mode introduced by OLM 1.0 in which the users and/or groups that are granted the specified permissions are able to perform what was granted to the APIs provided by the operator. OLM v1 introduces more flexibility with new options: * Configure access in specific namespaces by name and/or label selector
      • Configure admin/edit/view access for specific users and/or groups
      • Configure custom permissions for specific users and/or groups
      • Configure access to all operator-provided APIs, or a specific subset
      		 YES
      Administrators can optionally disable OLM’s automated RBAC object creation by specifying permission management mode in “unmanaged” with an Operator CR. Note: Only users with “wildcard/*” permissions are able to use those APIs provided by an operator. YES
      Whenever administrators modify an operator’s permissions configuration to an Operator CR, OLM 1.0 constantly keeps the system up to date.
      • When an Operator CR is updated such that permissions that a user previously had are now revoked, the user must no longer be able to perform any of the removed permissions.
      • If an RBAC object that was created by OLM is modified by some other actor other than OLM, OLM will overwrite those changes and restore them to their original state. (Allow users add their own labels and annotations as long as not modifying things owned by OLM 1.0)
      		 YES
      CI - MUST be running successfully with test automation This is a requirement for ALL features. YES
      Release Technical Enablement Provide necessary release enablement details and documents. YES

      Background, and strategic fit

      When you install an operator with OLM v0, OLM adds the operator’s provided APIs to the admin/edit/view roles for all namespaces.  This means that any user with admin, edit, or view permission in any namespace has access to the operator’s APIs, and there is no way to change this.  Users have asked for a finer-grained permissions configuration for operator APIs.

      Users who may not have the permissions to install operators are interested in learning which operators are available for them to use in a cluster. While a user may be able to see various operator-provided APIs are present in the cluster, they may not have permission to use all of them. Trying to use an API and getting a “permission denied” error may not be the best user experience. A better option is to provide a means for the user to ask “what operators can I use?”

      This is part of a larger effort to re-design vital parts of the OLM APIs and conceptual models to fit the use case of OLM in managed service environments, GitOps-controlled infrastructure and restrictive self-managed deployments in Enterprise environments. You can learn more about it here: https://docs.google.com/document/d/1LX4dJMbSmuIMn98tCiBaONmTunWR6zdUJuH-8uZ8Cno/edit?usp=sharing

      Relevant upstream CNCF OLM engineering brief(s):

      Documentation Considerations

      • Admin-type users need to understand the differences between the permissions management modes.
      • Admin-type users need to fully understand how all the options for the managed permissions mode work.
      • Users need to understand they can only use OLM to grant permissions to APIs provided by the operator being installed. If they need to grant permissions to APIs provided by a dependency, they need to create a separate configuration for the dependency as its own operator.

       
       
       

       

              DanielMesser Daniel Messer
              DanielMesser Daniel Messer
              Jian Zhang Jian Zhang
              Matthew Werner Matthew Werner
              Joe Lanford Joe Lanford
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated: