Add declarative RBAC to WorkspaceType initializers/terminators

Signed-off-by: Mangirdas Judeikis <mangirdas@judeikis.lt>
On-behalf-of: SAP <mangirdas.judeikis@sap.com>

Author: mjudeikis

config/crds/tenancy.kcp.io_workspacetypes.yaml

@@ -170,6 +170,65 @@ spec:
                   WorkspaceType `example` is created in the `root:org` workspace, the implicit
                   initializer name is `root:org:example`.
                 type: boolean
+              initializerPermissions:
+                description: |-
+                  initializerPermissions are the RBAC rules granted to initializer controllers when they
+                  access workspace content through the initializing virtual workspace's content proxy.
+                  Rules are evaluated in-process by the VW proxy on each request; no ClusterRole or
+                  ClusterRoleBinding objects are created inside the workspace.
+
+                  When empty (the default), the VW content proxy falls back to impersonating the
+                  workspace owner (full cluster-admin), preserving the historical behavior.
+
+                  Changes take effect immediately for all workspaces of this type.
+                items:
+                  description: |-
+                    PolicyRule holds information that describes a policy rule, but does not contain information
+                    about who the rule applies to or which namespace the rule applies to.
+                  properties:
+                    apiGroups:
+                      description: |-
+                        APIGroups is the name of the APIGroup that contains the resources.  If multiple API groups are specified, any action requested against one of
+                        the enumerated resources in any API group will be allowed. "" represents the core API group and "*" represents all API groups.
+                      items:
+                        type: string
+                      type: array
+                      x-kubernetes-list-type: atomic
+                    nonResourceURLs:
+                      description: |-
+                        NonResourceURLs is a set of partial urls that a user should have access to.  *s are allowed, but only as the full, final step in the path
+                        Since non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding.
+                        Rules can either apply to API resources (such as "pods" or "secrets") or non-resource URL paths (such as "/api"),  but not both.
+                      items:
+                        type: string
+                      type: array
+                      x-kubernetes-list-type: atomic
+                    resourceNames:
+                      description: ResourceNames is an optional white list of names
+                        that the rule applies to.  An empty set means that everything
+                        is allowed.
+                      items:
+                        type: string
+                      type: array
+                      x-kubernetes-list-type: atomic
+                    resources:
+                      description: Resources is a list of resources this rule applies
+                        to. '*' represents all resources.
+                      items:
+                        type: string
+                      type: array
+                      x-kubernetes-list-type: atomic
+                    verbs:
+                      description: Verbs is a list of Verbs that apply to ALL the
+                        ResourceKinds contained in this rule. '*' represents all verbs.
+                      items:
+                        type: string
+                      type: array
+                      x-kubernetes-list-type: atomic
+                  required:
+                  - verbs
+                  type: object
+                type: array
               limitAllowedChildren:
                 description: |-
                   limitAllowedChildren specifies constraints for sub-workspaces created in workspaces
@@ -261,6 +320,65 @@ spec:
                   WorkspaceType `example` is created in the `root:org` workspace, the implicit
                   terminator name is `root:org:example`.
                 type: boolean
+              terminatorPermissions:
+                description: |-
+                  terminatorPermissions are the RBAC rules granted to terminator controllers when they
+                  access workspace content through the terminating virtual workspace's content proxy.
+                  Rules are evaluated in-process by the VW proxy on each request; no ClusterRole or
+                  ClusterRoleBinding objects are created inside the workspace.
+
+                  When empty (the default), the VW content proxy falls back to impersonating the
+                  workspace owner (full cluster-admin), preserving the historical behavior.
+
+                  Changes take effect immediately for all workspaces of this type.
+                items:
+                  description: |-
+                    PolicyRule holds information that describes a policy rule, but does not contain information
+                    about who the rule applies to or which namespace the rule applies to.
+                  properties:
+                    apiGroups:
+                      description: |-
+                        APIGroups is the name of the APIGroup that contains the resources.  If multiple API groups are specified, any action requested against one of
+                        the enumerated resources in any API group will be allowed. "" represents the core API group and "*" represents all API groups.
+                      items:
+                        type: string
+                      type: array
+                      x-kubernetes-list-type: atomic
+                    nonResourceURLs:
+                      description: |-
+                        NonResourceURLs is a set of partial urls that a user should have access to.  *s are allowed, but only as the full, final step in the path
+                        Since non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding.
+                        Rules can either apply to API resources (such as "pods" or "secrets") or non-resource URL paths (such as "/api"),  but not both.
+                      items:
+                        type: string
+                      type: array
+                      x-kubernetes-list-type: atomic
+                    resourceNames:
+                      description: ResourceNames is an optional white list of names
+                        that the rule applies to.  An empty set means that everything
+                        is allowed.
+                      items:
+                        type: string
+                      type: array
+                      x-kubernetes-list-type: atomic
+                    resources:
+                      description: Resources is a list of resources this rule applies
+                        to. '*' represents all resources.
+                      items:
+                        type: string
+                      type: array
+                      x-kubernetes-list-type: atomic
+                    verbs:
+                      description: Verbs is a list of Verbs that apply to ALL the
+                        ResourceKinds contained in this rule. '*' represents all verbs.
+                      items:
+                        type: string
+                      type: array
+                      x-kubernetes-list-type: atomic
+                  required:
+                  - verbs
+                  type: object
+                type: array
             type: object
           status:
             description: WorkspaceTypeStatus defines the observed state of WorkspaceType.

config/root-phase0/apiexport-tenancy.kcp.io.yaml

@@ -18,7 +18,7 @@ spec:
       crd: {}
   - group: tenancy.kcp.io
     name: workspacetypes
-    schema: v251204-7c13b4e0a.workspacetypes.tenancy.kcp.io
+    schema: v260428-f702a24c5.workspacetypes.tenancy.kcp.io
     storage:
       crd: {}
 status: {}

config/root-phase0/apiresourceschema-workspacetypes.tenancy.kcp.io.yaml

@@ -1,7 +1,7 @@
 apiVersion: apis.kcp.io/v1alpha1
 kind: APIResourceSchema
 metadata:
-  name: v251204-7c13b4e0a.workspacetypes.tenancy.kcp.io
+  name: v260428-f702a24c5.workspacetypes.tenancy.kcp.io
 spec:
   group: tenancy.kcp.io
   names:
@@ -167,6 +167,65 @@ spec:
                 WorkspaceType `example` is created in the `root:org` workspace, the implicit
                 initializer name is `root:org:example`.
               type: boolean
+            initializerPermissions:
+              description: |-
+                initializerPermissions are the RBAC rules granted to initializer controllers when they
+                access workspace content through the initializing virtual workspace's content proxy.
+                Rules are evaluated in-process by the VW proxy on each request; no ClusterRole or
+                ClusterRoleBinding objects are created inside the workspace.
+
+                When empty (the default), the VW content proxy falls back to impersonating the
+                workspace owner (full cluster-admin), preserving the historical behavior.
+
+                Changes take effect immediately for all workspaces of this type.
+              items:
+                description: |-
+                  PolicyRule holds information that describes a policy rule, but does not contain information
+                  about who the rule applies to or which namespace the rule applies to.
+                properties:
+                  apiGroups:
+                    description: |-
+                      APIGroups is the name of the APIGroup that contains the resources.  If multiple API groups are specified, any action requested against one of
+                      the enumerated resources in any API group will be allowed. "" represents the core API group and "*" represents all API groups.
+                    items:
+                      type: string
+                    type: array
+                    x-kubernetes-list-type: atomic
+                  nonResourceURLs:
+                    description: |-
+                      NonResourceURLs is a set of partial urls that a user should have access to.  *s are allowed, but only as the full, final step in the path
+                      Since non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding.
+                      Rules can either apply to API resources (such as "pods" or "secrets") or non-resource URL paths (such as "/api"),  but not both.
+                    items:
+                      type: string
+                    type: array
+                    x-kubernetes-list-type: atomic
+                  resourceNames:
+                    description: ResourceNames is an optional white list of names
+                      that the rule applies to.  An empty set means that everything
+                      is allowed.
+                    items:
+                      type: string
+                    type: array
+                    x-kubernetes-list-type: atomic
+                  resources:
+                    description: Resources is a list of resources this rule applies
+                      to. '*' represents all resources.
+                    items:
+                      type: string
+                    type: array
+                    x-kubernetes-list-type: atomic
+                  verbs:
+                    description: Verbs is a list of Verbs that apply to ALL the ResourceKinds
+                      contained in this rule. '*' represents all verbs.
+                    items:
+                      type: string
+                    type: array
+                    x-kubernetes-list-type: atomic
+                required:
+                - verbs
+                type: object
+              type: array
             limitAllowedChildren:
               description: |-
                 limitAllowedChildren specifies constraints for sub-workspaces created in workspaces
@@ -258,6 +317,65 @@ spec:
                 WorkspaceType `example` is created in the `root:org` workspace, the implicit
                 terminator name is `root:org:example`.
               type: boolean
+            terminatorPermissions:
+              description: |-
+                terminatorPermissions are the RBAC rules granted to terminator controllers when they
+                access workspace content through the terminating virtual workspace's content proxy.
+                Rules are evaluated in-process by the VW proxy on each request; no ClusterRole or
+                ClusterRoleBinding objects are created inside the workspace.
+
+                When empty (the default), the VW content proxy falls back to impersonating the
+                workspace owner (full cluster-admin), preserving the historical behavior.
+
+                Changes take effect immediately for all workspaces of this type.
+              items:
+                description: |-
+                  PolicyRule holds information that describes a policy rule, but does not contain information
+                  about who the rule applies to or which namespace the rule applies to.
+                properties:
+                  apiGroups:
+                    description: |-
+                      APIGroups is the name of the APIGroup that contains the resources.  If multiple API groups are specified, any action requested against one of
+                      the enumerated resources in any API group will be allowed. "" represents the core API group and "*" represents all API groups.
+                    items:
+                      type: string
+                    type: array
+                    x-kubernetes-list-type: atomic
+                  nonResourceURLs:
+                    description: |-
+                      NonResourceURLs is a set of partial urls that a user should have access to.  *s are allowed, but only as the full, final step in the path
+                      Since non-resource URLs are not namespaced, this field is only applicable for ClusterRoles referenced from a ClusterRoleBinding.
+                      Rules can either apply to API resources (such as "pods" or "secrets") or non-resource URL paths (such as "/api"),  but not both.
+                    items:
+                      type: string
+                    type: array
+                    x-kubernetes-list-type: atomic
+                  resourceNames:
+                    description: ResourceNames is an optional white list of names
+                      that the rule applies to.  An empty set means that everything
+                      is allowed.
+                    items:
+                      type: string
+                    type: array
+                    x-kubernetes-list-type: atomic
+                  resources:
+                    description: Resources is a list of resources this rule applies
+                      to. '*' represents all resources.
+                    items:
+                      type: string
+                    type: array
+                    x-kubernetes-list-type: atomic
+                  verbs:
+                    description: Verbs is a list of Verbs that apply to ALL the ResourceKinds
+                      contained in this rule. '*' represents all verbs.
+                    items:
+                      type: string
+                    type: array
+                    x-kubernetes-list-type: atomic
+                required:
+                - verbs
+                type: object
+              type: array
           type: object
         status:
           description: WorkspaceTypeStatus defines the observed state of WorkspaceType.

docs/content/concepts/authorization/authorizers.md

@@ -130,8 +130,32 @@ By default, workspaces are only accessible to a subject if they are in `Ready` p
 can be accessed only by subjects who are granted `admin` verb on the `workspaces/content` resource in the
 parent workspace.
 
+The authorizer also permits content access while the workspace is in the `Terminating` and `Deleting` phases so
+that terminator controllers and standard kube finalization (garbage collection, namespace deletion, finalizer
+removal) can complete cleanup. Permission is otherwise unchanged: subjects still need a matching binding inside
+the workspace.
+
 ServiceAccounts declared within a workspace don't have access to content of initializing workspaces.
 
+##### Lifecycle Synthetic Groups
+
+The initializing and terminating virtual workspace content proxies can forward requests with one of two synthetic
+groups attached to the controller's identity:
+
+* `system:kcp:initializer:<initializer-name>` (e.g. `system:kcp:initializer:root:tenant`)
+* `system:kcp:terminator:<terminator-name>`
+
+When the workspace content authorizer sees one of these groups it treats the request as **pre-authorized by the
+VW** and delegates to the next authorizer without re-evaluating workspace RBAC. This is what allows initializer
+and terminator controllers with scoped `initializerPermissions` / `terminatorPermissions` (see
+[Workspace Types](../workspaces/workspace-types.md#lifecycle-permissions)) to act with their own identity instead
+of impersonating the workspace owner.
+
+These groups cannot be self-asserted by clients: the front-proxy's `--authentication-drop-groups` defaults strip
+both prefixes (`system:kcp:initializer:*` and `system:kcp:terminator:*`) from every incoming request before any
+routing happens. The only code paths that can inject them are the VW content proxies, which run inside the
+front-proxy process and add the group **after** the in-process RBAC evaluation has already allowed the request.
+
 ##### Cross-Workspace
 
 Subjects who do not originate from the workspace the request is being made to and are not global kcp