Uploaded image for project: 'OpenShift Container Platform (OCP) Strategy'
  1. OpenShift Container Platform (OCP) Strategy
  2. OCPSTRAT-933

Hypershift guest cluster can use external OIDC token issuer

XMLWordPrintable

    • BU Product Work
    • False
    • Hide

      None

      Show
      None
    • False
    • 20% To Do, 0% In Progress, 80% Done
    • L
    • 1
    • 0
    • Program Call
    • Proposed

      Feature Overview (aka. Goal Summary)

      A guest cluster can use an external OIDC token issuer.  This will allow machine-to-machine authentication workflows

      Goals (aka. expected user outcomes)

      A guest cluster can configure OIDC providers to support the current capability: https://kubernetes.io/docs/reference/access-authn-authz/authentication/#openid-connect-tokens and the future capability: https://github.com/kubernetes/kubernetes/blob/2b5d2cf910fd376a42ba9de5e4b52a53b58f9397/staging/src/k8s.io/apiserver/pkg/apis/apiserver/types.go#L164 with an API that 

      1. allows fixing mistakes
      2. alerts the owner of the configuration that it's likely that there is a misconfiguration (self-service)
      3. makes distinction between product failure (expressed configuration not applied) from configuration failure (the expressed configuration was wrong), easy to determine
      4. makes cluster recovery possible in cases where the external token issuer is permanently gone
      5. allow (might not require) removal of the existing oauth server

       

      Requirements (aka. Acceptance Criteria):

      A list of specific needs or objectives that a feature must deliver in order to be considered complete. Be sure to include nonfunctional requirements such as security, reliability, performance, maintainability, scalability, usability, etc. Initial completion during Refinement status.

      Use Cases (Optional):

      Include use case diagrams, main success scenarios, alternative flow scenarios. Initial completion during Refinement status.

      Questions to Answer (Optional):

      Include a list of refinement / architectural questions that may need to be answered before coding can begin. Initial completion during Refinement status.

      Out of Scope

      High-level list of items that are out of scope. Initial completion during Refinement status.

      Background

      Provide any additional context is needed to frame the feature. Initial completion during Refinement status.

      Customer Considerations

      Provide any additional customer-specific considerations that must be made when designing and delivering the Feature. Initial completion during Refinement status.

      Documentation Considerations

      Provide information that needs to be considered and planned so that documentation will meet customer needs. If the feature extends existing functionality, provide a link to its current documentation. Initial completion during Refinement status.

      Interoperability Considerations

      Which other projects, including ROSA/OSD/ARO, and versions in our portfolio does this feature impact? What interoperability test scenarios should be factored by the layered products? Initial completion during Refinement status.

              azaalouk Adel Zaalouk
              deads@redhat.com David Eads
              Adel Zaalouk, Alberto Garcia Lamela, Anjali Telang, Antoni Segura Puimedon, David Eads, Mike Worthington, Seth Jennings, Xingxing Xia
              He Liu He Liu
              Shashank Karanth Shashank Karanth
              Alberto Garcia Lamela Alberto Garcia Lamela
              Adel Zaalouk Adel Zaalouk
              Dave Mulford Dave Mulford
              Votes:
              0 Vote for this issue
              Watchers:
              12 Start watching this issue

                Created:
                Updated:
                Resolved: