cluster-api Consider limited kubeconfig for internal components and consumers

User Story

As a developer/user/operator I would like to CAPI core internal components to be granted only with the perms they need.

Detailed Description

Today CAPI generates a full admin config that is then consumed by the Machine Controller and by any component claiming a cluster accessor through the remote cache tacker, i.e r.Tracker.GetClient(ctx, util.ObjectKey(cluster)).

The Machine controller shouldn't need full admin client to operate successfully. There might be other components needing narrowed set of permissions:

Autoscaling.
Azure AD for cluster authentication https://capz.sigs.k8s.io/topics/aad-integration.html (if you have the admin kubeconfig it kind of defeats the purpose).

This is to discuss alternatives for: 1 - Create limited kubeconfigs for consumption of our internal core components. 2 - Consider providing a way to express desired for capi outputting t-shirt size / limited kubeconfigs.

Anything else you would like to add:

[Miscellaneous information that will assist in solving the issue.]

/kind feature

Nov 01 '21 17:11 enxebre

cc @CecileRobertMichon @voor

Nov 01 '21 17:11 enxebre

Somehow related to this https://github.com/kubernetes-sigs/cluster-api/issues/3661 TBD if we can dedup/merge

Nov 01 '21 20:11 fabriziopandini

/kind proposal /milestone Next

Nov 02 '21 15:11 vincepri

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

After 90d of inactivity, lifecycle/stale is applied
After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

Mark this issue or PR as fresh with /remove-lifecycle stale
Mark this issue or PR as rotten with /lifecycle rotten
Close this issue or PR with /close
Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

Jan 31 '22 16:01 k8s-triage-robot

/remove-lifecycle stale

Jan 31 '22 16:01 fabriziopandini

/lifecycle frozen /help

Jan 31 '22 16:01 vincepri

@vincepri: This request has been marked as needing help from a contributor.

Guidelines

Please ensure that the issue body includes answers to the following questions:

Why are we solving this issue?
To address this issue, are there any code changes? If there are code changes, what needs to be done in the code and what places can the assignee treat as reference points?
Does this issue have zero to low barrier of entry?
How can the assignee reach out to you for help?

For more details on the requirements of such an issue, please see here and ensure that they are met.

If this request no longer meets these requirements, the label can be removed by commenting with the /remove-help command.

In response to this:

/lifecycle frozen /help

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

Jan 31 '22 16:01 k8s-ci-robot

/triage accepted

Oct 03 '22 19:10 fabriziopandini

This issue has not been updated in over 1 year, and should be re-triaged.

You can:

Confirm that this issue is still relevant with /triage accepted (org members only)
Close this issue with /close

For more details on the triage process, see https://www.kubernetes.dev/docs/guide/issue-triage/

/remove-triage accepted

Jan 19 '24 01:01 k8s-triage-robot

/priority important-longterm

Apr 12 '24 14:04 fabriziopandini

This is still important to improve the security posture of CAPI itself /triage accepted

Apr 23 '24 12:04 fabriziopandini