permission-manager icon indicating copy to clipboard operation
permission-manager copied to clipboard

Published 20 hours ago verified publisher icon sighupio

Feature: allow flexible subjects for clusterrolebindings/rolebindings

Open stjudecloud-cloudy opened this issue 3 years ago • 2 comments

In Azure AKS users can have access granted by either by their AD group membership, or directly using AD user ID. It would be extremely useful, if user access management could be done using permission-manager.

In order to achieve it, it would be necessary to allow different kind of subjects for both clusterrolebinding and rolebinding. This is an example of clusterrolebinding used for assigning RBAC to AD group:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: test
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-developer
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: id-redacted

Similarly kind: User can be used to grant a specific user access to Kubernetes using RBAC. Ideally, web interface should allow creation of different kind of subjects and used created subjects for access grants.

stjudecloud-cloudy avatar Aug 24 '20 20:08 stjudecloud-cloudy

Uhmm we have to analyze it. Currently, when a permissionmanageruser is created, then a serviceaccount is created too. So all bindings stick to the serviceaccount subject.

Changes to 🔝 behaviour is a major change that we have to evaluate, but we understand the situation.

angelbarrera92 avatar Oct 26 '20 11:10 angelbarrera92

This is just creating a service account. We would like to see more functionality like Role Role bindings As per the document, service account is just for application and jobs

sandeepcp avatar Feb 16 '22 17:02 sandeepcp