Implement OrganizationRole #68
Conversation
kubermatic-bot
added
do-not-merge/work-in-progress
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: jiachengxu The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
kubermatic-bot
added
approved
kubermatic-bot
added
release-note-none
| func (r *OrganizationRoleReconciler) SetupWithManager(mgr ctrl.Manager) error { | ||
| enqueueAllRoles := &handler.EnqueueRequestsFromMapFunc{ | ||
| ToRequests: handler.ToRequestsFunc(func(mapObject handler.MapObject) (out []ctrl.Request) { | ||
| organizationRoles := &corev1alpha1.OrganizationRoleList{} |
There was a problem hiding this comment.
This is going to have scaling issues after a while, and it's wasteful, instead
| organizationRoles := &corev1alpha1.OrganizationRoleList{} | |
| ToRequests: handler.ToRequestsFunc(func(mapObject handler.MapObject) (out []ctrl.Request) { | |
| obj := mapObject.Object.(*corev1alpha1.OrganizationRoleTemplate) | |
| for _, organizationRole := range obj.Status.Targets { | |
| out = append(out, ctrl.Request{ | |
| NamespacedName: types.NamespacedName{ | |
| Name: organizationRole.Name, | |
| Namespace: mapObject.Meta.GetNamespace(), | |
| }, | |
| }) | |
| } | |
| return |
There was a problem hiding this comment.
Hmm, this cannot work because the Targets in the Status are Organizations and Projects, not OrganiationRole.
There was a problem hiding this comment.
hmmm ok. But you can reconcile only a limited subset for each OrganizationRoleTemplate, and not every OrganizationRole? Because you know which OrganizationRole's are created for each OrganizationRoleTemplate
There was a problem hiding this comment.
Yeah, the reason that I reconcile all OrganizationRole is because OrganizationRoleTemplate doens't have a selector, which means OrganizationRoleTemplate applies to all Organizations in the system, once we have a selector for OrganizationRoleTemplate, we don't need to reconcile every OrganizationRole
pkg/manager/internal/controllers/organizationrole_controller.go
Outdated
Show resolved
Hide resolved
| if err = r.List(ctx, organizationRoleTemplates); err != nil { | ||
| return | ||
| } | ||
| var maxRules []rbacv1.PolicyRule |
There was a problem hiding this comment.
I'd disagree with the rule cap being implemented like this. Instead, it should probably be defined in the Organization CRD itself?
There was a problem hiding this comment.
Sorry I did't get it :)
What do you mean by defining in Organization?
There was a problem hiding this comment.
By defining it in the Organization I mean we have a field .spec.maximumPermissions or something like it with rule lists which are the maximum allowed policy rules allowed within this organization.
There was a problem hiding this comment.
We cannot pre-define the maximum permission of the Organization in the Organization itself. On one knows which permission will be needed when they create the Organization, for example, when we integrate Bulward with KubeCarrier, everything is dynamic, if couchdb objects are created, Organization should grant with couchdb related permissions.
There was a problem hiding this comment.
Where do we define it then? @thetechnick
It needs to be somewhere nicely defined and specified for ease of use.
There was a problem hiding this comment.
So we define it in the OrganizationRoleTemplate, and then give the operator/admin for example, could be KubeCarrier operator to update the OrganizationRoleTemplate to grant/revoke permissions, and every time organization admin create the new OrganizationRole we check it with the Max Rule, like what is implemented now, and accepted rule will be shown in the status of OrganizationRole
There was a problem hiding this comment.
This isn't the obvious way. Where can I find out what's the maximum role scope for this organization? It's hidden away in OrganizationRoleTemplates.
Also, nothing about this is mentioned in the proposal IIRC.
There was a problem hiding this comment.
It was mentioned a bit here:https://github.com/kubermatic/bulward/pull/66/files#diff-da75ad503782278090a6e6ef7b58c9d7R9-R10
I am not sure if user should care about the maximum permission at all, at least Organization Owner will have maximum permission.
There was a problem hiding this comment.
ohh,, now I see it; it's a bit like a footnote.
This maximum permission level results from all roles that are assigned to the organization unit and thus to the Organization/Project Owner.
How bout we talk it briefly in tomorrow's daily?
we should at least aggregate maximum permission cap somewhere, like in the Organization status, to have a clear picture what it is.
What this PR does / why we need it:
This PR implements the OrganizationRole concept in proposal #66. The changes are as following:
PS: user still can create an OrganizationRole which escalates the user's privilege, currently, we will still let the OrganizationRole be created, but OrganizationRole controller will perform an intersection checking between max level permission of the Organization and the OrganizationRole, and only the intersection rules will be accepted.
In the next PR, I will implement a webhook to forbidden that, in the webhook, we first check the enabled rules for user by issuing
SelfSubjectRulesReview, check if rules inOrganizationRoleis a subset of that, if it is not, forbidden user to createOrganizationRole.Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close the issue(s) when PR gets merged):Fixes #
Special notes for your reviewer:
Documentation:
Does this PR introduce a user-facing change?: