Skip to content

Change kubeconfigs from kcp-admin credentials to service specific credentials #79

Description

@aaronschweig

Current State
Currently, the kcp-admin kubeconfigs is used in all platform mesh services. We strive to have separate kubeconfigs for the service that give contain service specific kubeconfigs only with the rbacs needed, rather than full admin access

Target

We need to come to a state where using the admin-kubeconfig is not the default but rather an explicit opt-in to properly scope down the permissions our operators have across the kcp instance. For that the platform-mesh operator needs to be aware what permissions are needed by which operator.

We already have that information - for any future provider - as part of the APIExport that these provider bring with them. The platform-mesh operator needs to be able to generate a ServiceAccount token based kubeconfig for a given provider, with RBACs attached to it, that give:

  • Full Access to the resources listed in the latestResourcheSchemas section
  • the access specified in the permissionClaims with the corresponding scopes, verbs etc.

Todos

  • Update to generate service-specific kubeconfigs
  • Update to generate specific RBACs for a generated service account based on the above criteria
  • Provide the capability to explicitly opt-in for an admin kubeconfig if an operator really needs it
  • Test the generated configurations work and do not cause logic to break

Metadata

Metadata

Assignees

Labels

Type

Fields

No fields configured for Task.

Projects

Status
Blocked/Waiting

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions