pipeline-service Workspaces & RBAC

Workspaces & RBAC

Open fgiloux opened this issue 2 years ago • 1 comments

The way workspaces, organizations are structured and the associated RBAC are applied are currently changing in kcp. It is expected that a good amount of these changes: PR 996, bump of ClusterWorkpsace API version will land in release 0.6.

This is issue is about reviewing our service account creation (used by Pipelines as Code workflows) and right allocation, so that:

it works well with kcp 0.6
checks in images/kcp-registrar/register.sh identify whether a workspace can be reused or need to be created

Jun 30 '22 13:06 fgiloux

Discussing with the kcp team:

A ServiceAccount is bound to the workspace it was created in
For this ServiceAccount to manipulate resources of other workspaces an APIExport for the desired resources will need to be created in the workspace of the ServiceAccount and an APIBinding to this APIExport in the other workspaces

Another interesting approach mentioned is to create and use an "out-of-band" ServiceAccount. This would be an SA directly created at the IDP level (the way it is done is IDP dependent). Here is an example for keycloak.

Jun 30 '22 15:06 fgiloux

KCP being out of the picture, I'm closing this issue as deprecated.

Feb 22 '23 18:02 Roming22

pipeline-service pipeline-service copied to clipboard

Workspaces & RBAC

pipeline-service
pipeline-service copied to clipboard