Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Suggested Personas and Roles for Kuadrant #1087

Open
2 tasks
didierofrivia opened this issue Dec 18, 2024 · 1 comment
Open
2 tasks

Suggested Personas and Roles for Kuadrant #1087

didierofrivia opened this issue Dec 18, 2024 · 1 comment
Labels
area/doc Improvements or additions to documentation kind/enhancement New feature or request

Comments

@didierofrivia
Copy link
Member

About

All our good work in Kuadrant is based on the Gateway API, and this novel official Kubernetes specification, that represents the next generation of Kubernetes Ingress, was designed to be expressive, generic and role-oriented. This last bit is the key aspect of the specification, that discloses 3 specific Roles that will manage different resources in a specific way: An Infrastructure Provider, a Cluster operator and an Application Developer. The issue here is that currently our development is based only on a sole admin account, similar to the Infra Provider, instead of bearing in mind these different personas and thus once in a real case scenario when adjusted permissions are given to the users, we start encountering from bad UX to concerning security issues.

Proposition

Personas

Following the Gateway API example, we’ll model it in a simple 3 tier model mentioned above, which will also include assignment of the specific Kuadrant resources.

Gateway Class Gateway Route DNS Policy TLS Policy Auth Policy RL Policy
Infra Provider Yes Yes Yes Yes Yes Yes Yes
Cluster Operators No Yes Yes Yes Yes Yes Yes
App Developers No No Yes* No No Yes* Yes*

* Could only be applied to specified namespaces.

Based on the proposed diagram, we could use the following examples of Cluster Roles:

Infrastructure Provider

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
 name: infrastructure-provider
rules:
 - apiGroups: ["gateway.networking.k8s.io"]
   resources: ["*"]
   verbs: ["*"]
 - apiGroups: ["kuadrant.io"]
   resources: ["*"]
   verbs: ["*"]

Cluster Operators

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
 name: cluster-operator
rules:
 - apiGroups: ["gateway.networking.k8s.io"]
   resources: ["gateways", "httproutes", "grpcroutes"]
   verbs: ["*"]
 - apiGroups: ["kuadrant.io"]
   resources: ["authpolicies", "ratelimitpolicies", "dnspolicies", "tlspolicies"]
   verbs: ["*"]

Application Developers

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
 name: app-developer
rules:
 - apiGroups: ["gateway.networking.k8s.io"]
   resources: ["httproutes", "grpcroutes"]
   verbs: ["*"]
 - apiGroups: ["kuadrant.io"]
   resources: ["authpolicies", "ratelimitpolicies"]
   verbs: ["*"]

TODO:

  • Documentation
    We should recommend the use of this Roles/Personas in our docs, we are not going to enforce it, since it’s an area quite opinionated and varies drastically in every production cluster.

  • Developing tools
    Regarding our daily development tools, our “make targets” should install the different dependencies (operators, CRDs, etc) with the different Personas contexts, thus it will replicate a more realistic use case.

@didierofrivia didierofrivia added area/doc Improvements or additions to documentation kind/enhancement New feature or request labels Dec 18, 2024
@Boomatang
Copy link
Contributor

To the point on the Development tools and "make targets". If we go down the route of different Personas, we also need to generate the different kubeconfig files so a develop can act on the cluster as does Personas while at the same time running the operator in locally.

If it we don't automate the generation of the kubeconfigs it becomes harder for the developer to use the different Personas. So they wont use them.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/doc Improvements or additions to documentation kind/enhancement New feature or request
Projects
Status: No status
Development

No branches or pull requests

2 participants