Skip to content

EPIC: kro deployer with restricted access to cluster resources (RBAC) #199

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
1 task
frewilhelm opened this issue Apr 25, 2025 · 1 comment
Open
1 task

EPIC: kro deployer with restricted access to cluster resources (RBAC) #199

frewilhelm opened this issue Apr 25, 2025 · 1 comment
Labels
kind/epic Large multi-story topic needs/refinement Discuss with the team and gain a shared understanding needs/validation Validate the issue and assign a priority
Milestone
2025-Q3

Comments

@frewilhelm
Copy link
Contributor

frewilhelm commented Apr 25, 2025
edited by fabianburth
Loading

Description

The deployer introduced by #172 uses Kro and its ResourceGraphDefinition to deploy resources from an OCM component version. However, this requires that not only the ocm-controllers v2 (aka ocm-k8s-toolkit) is deployed in the cluster but also Kro. Eventually, the deployment of Kro will also be in our scope (as MCP component or part of the OCM controller deployment).

As Kro is a deployer for resources in a cluster, it requires appropriate permissions in that cluster. As described Kro can be deployed in unrestricted or aggregation mode. Of course the unrestricted mode is not feasible for production environments.

Accordingly, we have to find a way and make sure to use the aggregation mode.

User Story
As a DevOps admin, I want to deploy the OCM controllers into my (MCP) cluster and use them to deploy resources from an OCM component version. Preferably, I do not want to deploy and configure Kro myself but use a process that does this for me appropriately.

Discussion:
We agreed that a functionality analyzing the RGD (or rather, the resources specified in the RGD) to dynamically provide KRO with the sufficient authorizations (create, update, get, list, delete) for those resources (and therefore to operate as expected) through the mechanism described in KRO access control documentation is desired.

We did not agree on details yet (e.g. where or how exactly that functionality should be implemented or whether we might even be able to contribute something to the KRO project). These details will have to be revisited.

Scope

  • ...

Out of Scope

  • ...
@frewilhelm frewilhelm added kind/epic Large multi-story topic needs/refinement Discuss with the team and gain a shared understanding needs/validation Validate the issue and assign a priority labels Apr 25, 2025
@frewilhelm frewilhelm added this to the 2025-Q3 milestone Apr 25, 2025
@jakobmoellerdev jakobmoellerdev changed the title EPIC: Kro Deployment and its access controls EPIC: kro deployer with restricted access to cluster resources (RBAC) Apr 28, 2025
@jakobmoellerdev
Copy link
Contributor

@frewilhelm please add our discussion results on how we could generate such RBAC from the RGD definition dynamically

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/epic Large multi-story topic needs/refinement Discuss with the team and gain a shared understanding needs/validation Validate the issue and assign a priority
Projects
OCM Backlog Board
Status: 🆕 ToDo
Milestone
2025-Q3
Development

No branches or pull requests
2 participants
@frewilhelm @jakobmoellerdev