Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

✨ Add classNamespace to topology #11352

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

✨ Add classNamespace to topology #11352

wants to merge 4 commits into from

Conversation

Danil-Grigorev
Copy link
Member

@Danil-Grigorev Danil-Grigorev commented Oct 30, 2024
edited
Loading

What this PR does / why we need it:

Adding classNamespace variable to the cluster topology, which allows to point to a ClusterClass in a different namespace. This field is dormant, and is used for differentiation only.

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Related to #5673

/area clusterclass

@k8s-ci-robot k8s-ci-robot added area/clusterclass Issues or PRs related to clusterclass cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Oct 30, 2024
@Danil-Grigorev Danil-Grigorev changed the title Add classNamespace to topology ✨ Add classNamespace to topology Oct 30, 2024
@Danil-Grigorev Danil-Grigorev force-pushed the class-namespace-addition branch 2 times, most recently from ae1cb19 to 43cb995 Compare October 30, 2024 11:59
@k8s-ci-robot k8s-ci-robot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Oct 30, 2024
@Danil-Grigorev Danil-Grigorev force-pushed the class-namespace-addition branch 2 times, most recently from 2bddeeb to 352fd66 Compare October 30, 2024 15:20
salasberryfin
salasberryfin reviewed Oct 31, 2024
View reviewed changes
Copy link
Contributor

@salasberryfin salasberryfin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @Danil-Grigorev! I added a small suggestion but I think this looks good.

docs/book/src/tasks/experimental-features/cluster-class/write-clusterclass.md Outdated Show resolved Hide resolved
@salasberryfin
Copy link
Contributor

Thanks @Danil-Grigorev

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Oct 31, 2024
@k8s-ci-robot
Copy link
Contributor

LGTM label has been added.

Git tree hash: c4b418743a4683ae623b3264aae7636c41ad5675

@salasberryfin
Copy link
Contributor

/assign @chrischdi

@Danil-Grigorev Danil-Grigorev changed the title ✨ Add classNamespace to topology [WIP] ✨ Add classNamespace to topology Oct 31, 2024
@k8s-ci-robot k8s-ci-robot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Oct 31, 2024
@k8s-ci-robot k8s-ci-robot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Oct 31, 2024
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please ask for approval from chrischdi. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Oct 31, 2024
@Danil-Grigorev Danil-Grigorev changed the title [WIP] ✨ Add classNamespace to topology ✨ Add classNamespace to topology Oct 31, 2024
@k8s-ci-robot k8s-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Oct 31, 2024
@Danil-Grigorev Danil-Grigorev mentioned this pull request Nov 4, 2024
Merged
enxebre
enxebre reviewed Nov 5, 2024
View reviewed changes
docs/book/src/tasks/experimental-features/cluster-class/write-clusterclass.md

#### Securing cross-namespace reference to the ClusterClass

It is often desirable to restrict free cross-namespace `ClusterClass` access for the `Cluster` object. This can be implemented by defining a [`ValidatingAdmissionPolicy`](https://kubernetes.io/docs/reference/access-authn-authz/validating-admission-policy/) on the `Cluster` object.
Copy link
Member

@enxebre enxebre Nov 5, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

besides the on admission check which is nice, do we have any rbac recommendation for this?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

VAP supports secondary authz for added RBAC control, and VAP binding can be used with label selectors, which addresses #5673 (comment). From the proposal itself, it seems using the policy for added restriction on top of RBAC is within the scope.

Webhook allows to use paramRef of any kind, which can be potentially explored with specific CRD to further restrict access beyond admission, with a controller acting on that resource.

Currently, this is just an example of how an on top policy can be defined (if needed) in k8s 1.30+, where a user may decide to use different policy mechanisms to further restrict access, including a more granular RBAC. I’m thinking to showcase it as an option, but to not enforce any specific solution within this PR.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is also an RBAC recommendation in https://kccncna2024.sched.com/event/1hoyX, if a talk considered to be one.

@alexander-demicev alexander-demicev mentioned this pull request Nov 5, 2024
Open
neolit123
neolit123 reviewed Nov 6, 2024
View reviewed changes
Copy link
Member

@neolit123 neolit123 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Danil-Grigorev did you attempt rebasing a non-namespaced CC to a namespaced CC?
does that work fine?

@Danil-Grigorev
Copy link
Member Author

@neolit123 I tried rebase on the clusterClass in the same namespace, and it works fine. Cross-namespace rebases are not possible, as there is validation to prevent namespace change for templates. This seems like a larger change.

@neolit123
Copy link
Member

@neolit123 I tried rebase on the clusterClass in the same namespace, and it works fine. Cross-namespace rebases are not possible, as there is validation to prevent namespace change for templates. This seems like a larger change.

if this larger change is not added then it's worth mentioning the limitation in the docs.

@Danil-Grigorev
Copy link
Member Author

Maybe to address some comments from the last meeting - extension configs on the initial check seem to work as well, as long as the namespace selector matches.

furkatgofurov7
furkatgofurov7 reviewed Nov 11, 2024
View reviewed changes
Copy link
Member

@furkatgofurov7 furkatgofurov7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Nov 11, 2024
@k8s-ci-robot
Copy link
Contributor

LGTM label has been added.

Git tree hash: f7b15d982fdfb8730cff97c2900ccbd9c661e3d9

@Danil-Grigorev Danil-Grigorev mentioned this pull request Nov 11, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@furkatgofurov7 furkatgofurov7 furkatgofurov7 left review comments

@enxebre enxebre enxebre left review comments

@neolit123 neolit123 neolit123 left review comments

@jackfrancis jackfrancis Awaiting requested review from jackfrancis

@sbueringer sbueringer Awaiting requested review from sbueringer

@chrischdi chrischdi Awaiting requested review from chrischdi

@salasberryfin salasberryfin Awaiting requested review from salasberryfin

Assignees

@chrischdi chrischdi

@salasberryfin salasberryfin

@furkatgofurov7 furkatgofurov7

Labels
area/clusterclass Issues or PRs related to clusterclass cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@Danil-Grigorev @salasberryfin @k8s-ci-robot @neolit123 @enxebre @furkatgofurov7 @chrischdi