You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
All our good work in Kuadrant is based on the Gateway API, and this novel official Kubernetes specification, that represents the next generation of Kubernetes Ingress, was designed to be expressive, generic and role-oriented. This last bit is the key aspect of the specification, that discloses 3 specific Roles that will manage different resources in a specific way: An Infrastructure Provider, a Cluster operator and an Application Developer. The issue here is that currently our development is based only on a sole admin account, similar to the Infra Provider, instead of bearing in mind these different personas and thus once in a real case scenario when adjusted permissions are given to the users, we start encountering from bad UX to concerning security issues.
Proposition
Personas
Following the Gateway API example, we’ll model it in a simple 3 tier model mentioned above, which will also include assignment of the specific Kuadrant resources.
Gateway Class
Gateway
Route
DNS Policy
TLS Policy
Auth Policy
RL Policy
Infra Provider
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Cluster Operators
No
Yes
Yes
Yes
Yes
Yes
Yes
App Developers
No
No
Yes*
No
No
Yes*
Yes*
* Could only be applied to specified namespaces.
Based on the proposed diagram, we could use the following examples of Cluster Roles:
Documentation
We should recommend the use of this Roles/Personas in our docs, we are not going to enforce it, since it’s an area quite opinionated and varies drastically in every production cluster.
Developing tools
Regarding our daily development tools, our “make targets” should install the different dependencies (operators, CRDs, etc) with the different Personas contexts, thus it will replicate a more realistic use case.
The text was updated successfully, but these errors were encountered:
To the point on the Development tools and "make targets". If we go down the route of different Personas, we also need to generate the different kubeconfig files so a develop can act on the cluster as does Personas while at the same time running the operator in locally.
If it we don't automate the generation of the kubeconfigs it becomes harder for the developer to use the different Personas. So they wont use them.
About
All our good work in Kuadrant is based on the Gateway API, and this novel official Kubernetes specification, that represents the next generation of Kubernetes Ingress, was designed to be expressive, generic and role-oriented. This last bit is the key aspect of the specification, that discloses 3 specific Roles that will manage different resources in a specific way: An Infrastructure Provider, a Cluster operator and an Application Developer. The issue here is that currently our development is based only on a sole admin account, similar to the Infra Provider, instead of bearing in mind these different personas and thus once in a real case scenario when adjusted permissions are given to the users, we start encountering from bad UX to concerning security issues.
Proposition
Personas
Following the Gateway API example, we’ll model it in a simple 3 tier model mentioned above, which will also include assignment of the specific Kuadrant resources.
* Could only be applied to specified namespaces.
Based on the proposed diagram, we could use the following examples of Cluster Roles:
Infrastructure Provider
Cluster Operators
Application Developers
TODO:
Documentation
We should recommend the use of this Roles/Personas in our docs, we are not going to enforce it, since it’s an area quite opinionated and varies drastically in every production cluster.
Developing tools
Regarding our daily development tools, our “make targets” should install the different dependencies (operators, CRDs, etc) with the different Personas contexts, thus it will replicate a more realistic use case.
The text was updated successfully, but these errors were encountered: