Uploaded image for project: 'OpenShift Container Platform (OCP) Strategy'
  1. OpenShift Container Platform (OCP) Strategy
  2. OCPSTRAT-879

[PRD scope] OLM 1.0 - Installed Extension Discoverability and Access Management (F12)

    XMLWordPrintable

Details

    • Feature
    • Resolution: Unresolved
    • Critical
    • None
    • None
    • Operator Framework
    • None
    • False
    • Hide

      None

      Show
      None
    • False
    • OCPSTRAT-27Operators and Operator Lifecycle Management and Operator Hub
    • 50
    • 50% 50%
    • 0
    • 0

    Description

      Feature Overview

      • OLM 1.0 needs to allow users which typically do not have CRD listing permissions and might not be aware of which extensions a privileged admin user installed to discover installed extensions if they are offerings services/APIs for them to use in their namespace
      • With the discoverability come appropriate permissions for the tenants in the namespace to use serivces/APIs the extension provides
      • OLM 1.0 needs to provide distinct controls to privileged admin users in the context of installed operators to define in which namespaces their services/APIs are discoverable and usable by tenants, which is separate from the controls where the operator has permissions to operate (although in practice the set of namespaces where the extensions is discoverable/usable by tenants is going to be a full subset of the set of namespaces the extensions has permissions in (see OCPBU-110)

      Goals

      • Enable administrators to apply least-privilege principle based on granular control around tenant-level permissions on services/APIs of a particular installed extension
      • Allow tenants with limited permissions to discover installed extensions available to them as a single entity that ties together vital metadata (description, documentation, support, feature annotations) and the provided APIs for a great user experience
      • Enable tenants to actually use services/APIs provided by an installed extension by automating permission management
      • Provide a resource-efficient way to convey the information about extension availability into selected namespaces that works on clusters with potentially thousands/all of the namespaces selected

      Requirements

       

      Requirement Notes isMvp?
      Administrators can use the main operator API to define a list of namespaces in which the extension is supposed to be discoverable see OCPBU-106, the list should either be specified as a regular list construct or be the result of label selector query for which the administrator can define the key value pairs YES
      Tenants in the above list of namespaces by default get standard access permissions on the extension This should work similar or equal to default role aggregation that OLM v0.x uses today to enable the default namespaces roles admin/edit/view with the appropriate CRUD verbs YES
      Administrators can optionally disable the automatic creation of RBAC rules that allow tenants in the list of above namespaces to use the provided services/APIs An admin might want to enable discoverability but manage the access permissions separately from OLM NO
      Tenants the above list of namespaces have a kubernetes-native way of discovering the availability of the respective operator this has to be resource friendly and needs to scale to thousands of namespaces potentially YES
      Tenants get all information required to adopt and use the extension via this discoverability mechanism Information includes human readable information about the extensions display name, origin, maintainers, documentation, description, release notes, logo, support information, infrastructure annotations and compatibility as well as all provided services APIs with examples YES
      Tenants must be able to discover the provided APIs either via standard kubectl tooling or through a graphical user interface The discoverability mechanism needs to work for the OCP Console YES
      The implementation of extension discovery must support clusters with large number of namespaces With CSV copying in OLM v0 memory consumption of OLM is in the range of Gigabytes for a few cluster-scoped operators in clusters with hundreds / thousands of namespace. OLMs memory consumption should largely be independent of the number of namespaces in the cluster. YES
      CI - MUST be running successfully with test automation This is a requirement for ALL features. YES
      Release Technical Enablement Provide necessary release enablement details and documents. YES

      Use Cases

      Main use cases:

      • An extension gets installed on the cluster and the OLM API used to facilitate this operator offers to specify a list of namespaces in which the extensions should be discoverable, its specified either as a distinct list of existing namespaces or as a label selector query
      • Tenants can use OLM APIs to discover the set of extensions available to them in their namespace, either via CLI or UI tools, and can by default expect to have a level of access permissions on their provided services/APIs that corresponds to their own access levels in the namespace, aligned to default role definitions namespace admin/edit/view
      • Tenants may discover OLM-managed extensions in their namespace but may not have actual access permissions on their services/APIs because the admin opted out of the default RBAC creation by OLM for the purpose of more manual control about who exactly gets what kind of access
      • The set of namespaces in which an extension is discoverable might actually be smaller than the set of namespaces in which the operator has permissions in (see OCPBU-110) to enable it to do meaningful work outside of tenant namespaces, for example using platform / cluster operators in namespaces considered system namespaces

      Background, and strategic fit

      This is part of a larger effort to re-design vital parts of the OLM APIs and conceptual models to fit the use case of OLM in managed service environments, GitOps-controlled infrastructure and restrictive self-managed deployments in Enterprise environments. You can learn more about it here: https://docs.google.com/document/d/1LX4dJMbSmuIMn98tCiBaONmTunWR6zdUJuH-8uZ8Cno/edit?usp=sharing

      Assumptions

      • Extensions are handled at the cluster level

      Documentation Considerations

      • Users need to be of how specify the list of namespaces in which an extension ought to be discoverable
      • Users need to understand how tenant in those namespace eventually discover the installed extension and its services/APIs
      • Users need to be aware of the default RBAC OLM will generate in those namespaces to actually allow the tenants to use the extension and how to disable that beavior
      • Users need to understand the difference between discoverability / usability of an extension in a particular set of namespaces and the set of namespaces that the extension itself has permissions in to do meaningful work

      Attachments

        Issue Links

          incorporates

          Feature Request - Feature requests from customers and/or users RFE-3905 [RFE] Reduce OLM memory footprint at scale

          • Undefined - Priority not specified.
          • Accepted
          relates to

          Feature Request - Feature requests from customers and/or users RFE-1278 prevent non-admins from seeing all operator in a namespace

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Accepted

          Feature Request - Feature requests from customers and/or users RFE-1274 Hide the ElasticSearch Operator from regular users

          • Normal - To be worked after urgent and high priorities are resolved. This term is chosen when the severity of an issue is relatively close to the level of effort to fix it. The existence of an easily implemented workaround can also lead to this priority level instead of a higher priority.
          • Accepted
          split to

          Feature - Capability or a well-defined set of functionality that delivers business value. Features can include additions or changes to existing functionality. Features can easily span multiple teams, and potentially multiple releases. OCPSTRAT-1137 OLM 1.0 - Users can discover operators and their provided APIs that are active in a namespace (a part of F12)

          • Critical - To be worked on immediately following BLOCKER issues.
          • New

          Feature - Capability or a well-defined set of functionality that delivers business value. Features can include additions or changes to existing functionality. Features can easily span multiple teams, and potentially multiple releases. OCPSTRAT-550 OLM 1.0 - Access Management of provided APIs (a part of F12)

          • Refinement

          Activity

            People

              DanielMesser Daniel Messer
              DanielMesser Daniel Messer
              Jian Zhang Jian Zhang
              Joe Lanford Joe Lanford
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated: