capsule icon indicating copy to clipboard operation
capsule copied to clipboard

Published 20 hours ago verified publisher icon projectcapsule

Support for dynamic ignored user groups

Open prometherion opened this issue 3 years ago • 5 comments

Capsule is leveraging Kubernetes multi-tenancy using a combination of custom controllers and webhooks, used to intercept requests issued by tenant owners and allow or deny those.

Capsule supports ownership from multiple sources, such as User, Group, or ServiceAccount: the latter ones are also controllers living in the Kubernetes management system, aka kube-system. With that said, we cannot let play multi-tenancy with these accounts because would be an egg-chicken problem, as reported here.

https://github.com/clastix/capsule/blob/9f6883d309368a9dc0dda2c79a436837dc924c55/pkg/webhook/utils/is_capsule_user.go#L11-L16

However, there are some edge cases where this must be put in place, although the big warning hic sunt leones.

Desired feature

A new CapsuleConfiguration annotation must be introduced, such as capsule.clastix.io/ignored-user-groups. Since we're going to support several user groups, these must be delimitated by the comma symbol (,).

In case of non-set annotation, the default value must be kube-system in order to preserve backward compatibility. If a user would like to skip any kind of enforcement, can leave an empty value.

For the future, also this annotation must be ported in a new API version.

prometherion avatar May 23 '22 07:05 prometherion

@gkarthiks I could have missed something, let me know.

If it looks good to you and still eager to work on this, let me know so I can assign it.

prometherion avatar May 23 '22 07:05 prometherion

looks great, I will work on this.

gkarthiks avatar May 23 '22 17:05 gkarthiks

@prometherion I got confused again.

So what you are proposing is to have an annotation capsule.clastix.io/ignored-user-groups and have the list of userGroups there.

Q1: What is the ignored-user-group mean, when a user request is coming from a usergroup that is part of that annotation, then we will want to deny that request?

gkarthiks avatar Jun 01 '22 09:06 gkarthiks

Q1: What is the ignored-user-group mean, when a user request is coming from a usergroup that is part of that annotation, then we will want to deny that request?

Yes, and looking at the code, it means returning false, as we're doing here: https://github.com/clastix/capsule/blob/9f6883d309368a9dc0dda2c79a436837dc924c55/pkg/webhook/utils/is_capsule_user.go#L11-L16

The main difference is that right now we just need to check a single entry, with the new feature, instead, we're going to check for multiple entries. We can easily go for a range function, we can discuss later on the code performance enhancements.

prometherion avatar Jun 01 '22 10:06 prometherion

Removed from the milestone due to inactivity in the PR.

prometherion avatar Jun 22 '22 16:06 prometherion

Stale feature request, considering reopening this if the community demands it.

prometherion avatar Jul 27 '23 18:07 prometherion