eventing icon indicating copy to clipboard operation
eventing copied to clipboard

Published 20 hours ago verified publisher icon knative

Cross Namespace Event Links

Open Cali0707 opened this issue 1 year ago • 14 comments

Problem There have been many requests for triggers to be in different namespaces than brokers (see #7439, #6577, #5139). If we are to add this feature, it makes sense to add it for the other main "event link": the subscription.

The feature track can be seen here

Persona: Administrators, developers

Exit Criteria Alpha:

  • [ ] Feature flag is added
  • [ ] Triggers are able to refer to brokers in another namespace
  • [ ] Subscriptions are able to refer to channels in another namespace
  • [ ] Basic E2E tests showing the creation of triggers and subscriptions with appropriate auths and events flowing
  • [ ] Basic E2E tests showing that creation of triggers and subscriptions without appropriate auths fails

Beta:

  • [ ] More comprehensive E2E testing
  • [ ] Enable the new RBAC verb by default, without enabling the authentication of the RBAC verb
  • [ ] Communications with community members on how they will need to add the new RBAC “knsubscribe” verb to their RBAC setup

GA:

  • [ ] Conformance tests
  • [ ] Enabled by default

Cali0707 avatar Jan 04 '24 21:01 Cali0707

cc @pierDipi

Cali0707 avatar Jan 04 '24 21:01 Cali0707

Hi @Cali0707 . I am interested in solving this issue for upcoming LFX program

sadath-12 avatar Jan 13 '24 14:01 sadath-12

I wonder if there is any prior art that can be pulled from here: https://gateway-api.sigs.k8s.io/api-types/referencegrant/ rather than updating existing k8s RBAC verbiage.

jonathan-innis avatar Jan 15 '24 06:01 jonathan-innis

Thank you @jonathan-innis for joining us in getting the best solution for this . So to summarize it

so , basically the owner of creating trigger and broker who has access to both the namespace would first create a ReferenceGrant sort of resource that would allow to refer each other resources . so coming to the case where the non-creator user would have the permission to do get request on trigger and can describe the defination to see broker exists in other namespace he still cant do anything since its the ReferenceGrant that makes the connection decision . for example if a user with get permission on trigger in test1 namespace see broker with name xyy exists in test2 namespace he can't go ahead and create trigger in other namespace and refer to that broker because the RefrenceGrant would not allow that failing the from condition .so basically it would be useless for him to know that particular resource exist

sadath-12 avatar Jan 15 '24 08:01 sadath-12

Reference Grant is interesting, there is a core k8s KEP too https://github.com/kubernetes/enhancements/tree/master/keps/sig-auth/3766-referencegrant

pierDipi avatar Jan 15 '24 08:01 pierDipi

I am also interested in this issue.

octonawish-akcodes avatar Jan 15 '24 11:01 octonawish-akcodes

i am writing to express my excitement and gratitude for the upcoming mentorship during the 2024 Term 01. The prospect of being guided by someone of your caliber is truly inspiring, and I look forward to the growth and learning this experience will undoubtedly bring.

As we embark on this mentorship journey, I am eager to gain insights from your expertise and delve into the hands-on projects that will shape my understanding of the field. The anticipation of collaborating with like-minded peers and the expectation of a supportive learning environment have already fueled my enthusiasm.

I am confident that your mentorship will provide not only technical knowledge but also invaluable insights into the broader aspects of the industry. I appreciate the opportunity and am ready to make the most of this learning experience.

Thank you in advance for your guidance, and I look forward to the exciting and enriching journey ahead.

btwshivam avatar Jan 21 '24 07:01 btwshivam

hey @pierDipi @Cali0707 im pretty much interested in this issue for upcoming LFX program and i do have experience of handling client go ,api machinery and building out kubernetes operators and admission controllers , i'm trying to learn about kafka and knative now and apply them .

deepak4566 avatar Jan 22 '24 08:01 deepak4566

For anyone interested in participating in LFX mentorship program, please share a feature track / design document using the mentors' emails so that we know what's your design idea for the solution, you can use the Knative feature track templates here https://docs.google.com/document/d/1FvezfvBghevCRoZUmN3SoTVtm6f_u_r5f94MEa4jNIA/edit

pierDipi avatar Jan 22 '24 09:01 pierDipi

There is an update on the reference grant KEP https://github.com/kubernetes/enhancements/pull/4387

pierDipi avatar Jan 23 '24 17:01 pierDipi

Hey @Cali0707 @pierDipi, I am interested for the upcoming lfx mentorship term, about it. How do you think the knsubscribe will get added as a new RBAC verb, is it expected to be configured in the webhook-clusterrole.yml and then using it ?

prakrit55 avatar Feb 05 '24 13:02 prakrit55

/assign

yijie-04 avatar Mar 04 '24 20:03 yijie-04

This issue is stale because it has been open for 90 days with no activity. It will automatically close after 30 more days of inactivity. Reopen the issue with /reopen. Mark the issue as fresh by adding the comment /remove-lifecycle stale.

github-actions[bot] avatar Jun 03 '24 01:06 github-actions[bot]

/remove-lifecycle stale /triage accepted

Cali0707 avatar Jun 03 '24 13:06 Cali0707