Current State
Currently, the kcp-admin kubeconfigs is used in all platform mesh services. We strive to have separate kubeconfigs for the service that give contain service specific kubeconfigs only with the rbacs needed, rather than full admin access
Target
We need to come to a state where using the admin-kubeconfig is not the default but rather an explicit opt-in to properly scope down the permissions our operators have across the kcp instance. For that the platform-mesh operator needs to be aware what permissions are needed by which operator.
We already have that information - for any future provider - as part of the APIExport that these provider bring with them. The platform-mesh operator needs to be able to generate a ServiceAccount token based kubeconfig for a given provider, with RBACs attached to it, that give:
- Full Access to the resources listed in the
latestResourcheSchemas section
- the access specified in the
permissionClaims with the corresponding scopes, verbs etc.
Todos
Current State
Currently, the kcp-admin kubeconfigs is used in all platform mesh services. We strive to have separate kubeconfigs for the service that give contain service specific kubeconfigs only with the rbacs needed, rather than full admin access
Target
We need to come to a state where using the admin-kubeconfig is not the default but rather an explicit opt-in to properly scope down the permissions our operators have across the kcp instance. For that the platform-mesh operator needs to be aware what permissions are needed by which operator.
We already have that information - for any future provider - as part of the
APIExportthat these provider bring with them. The platform-mesh operator needs to be able to generate a ServiceAccount token based kubeconfig for a given provider, with RBACs attached to it, that give:latestResourcheSchemassectionpermissionClaimswith the corresponding scopes, verbs etc.Todos