k8spin/k8spin-operator

Service Accounts

paurosello opened this issue · 0 comments

paurosello commented

Description

We need to provide a way to grant permissions to users, groups or serviceaccounts. In the current implementation we can grant access to organizations, tenants or spaces to a set of users or groups. But we lack the implementation of serviceaccounts

Proposal

Add another option in the Organization, Tenant and Space CRDs at the spec.roles[] attribute.

Before

apiVersion: k8spin.cloud/v1
kind: Organization
metadata:
  name: example
spec:
  resources:
    cpu: "10"
    memory: "10G"
  # By default the organization name could be used to access the organization if the certificate include the name in the certificate filed O=
  roles:
    - name: organization-admin # Cluster Role
      groups: ["K8Spin.cloud"]
    - name: organization-admin # Cluster Role
      users: ["Angel", "Pau"]

After

apiVersion: k8spin.cloud/v1
kind: Organization
metadata:
  name: example
spec:
  resources:
    cpu: "10"
    memory: "10G"
  # By default the organization name could be used to access the organization if the certificate include the name in the certificate filed O=
  roles:
    - name: organization-admin # Cluster Role
      groups: ["K8Spin.cloud"]
    - name: organization-admin # Cluster Role
      users: ["Angel", "Pau"]
    - name: organization-admin # Cluster Role
      serviceAccounts: ["kube-system:robot", "default:github"]

Expected output

Two new rolebindings has to be created granting organization-admin permissions to service account robot (living in kube-system) and github (living in the default namespace)