Comments (6)
ericchiang
commented on August 14, 2024
Couple thoughts on how this might go:
- Document how to use an authenticating/authorizing proxy
- Add instructions for running the registry as an aggregated API server while delegating auth-Z to the central API server
- Define CRDs equivalents with JSON schema validation to let users register cluster objects on a existing cluster and just use RBAC
The more the cluster-registry repo can avoid re-implementing an API server, I think the better.
from cluster-registry.
pmorie
commented on August 14, 2024
Define CRDs equivalents with JSON schema validation to let users register cluster objects on a existing cluster and just use RBAC
This shouldn't be necessary - you can write an RBAC rule for any API group and resource/subresources. If you have delegating authn/z back to the main API server you will just get this.
@font what do you think about implementing this?
from cluster-registry.
perotinus
commented on August 14, 2024
Changed the name of this issue to specifically address delegated authorization. I opened #46 to track non-delegated authorization.
from cluster-registry.
font
commented on August 14, 2024
Yes, I am working on this (realized I hadn't replied yet).
from cluster-registry.
font
commented on August 14, 2024
How do we want to handle the different personalities that clusterregistry will assume when running as a delegated vs standalone apiserver?
Some things that will need to be addressed:
- Authn model: currently CR has built-in authn model. Will also need to delegate to core k8s apiserver. Need to allow both.
- Authz model: currently CR has always-allow authz model. Will also need to delegate to core k8s apiserver. Need to allow both.
- Necessary flags: introducing new standalone flag while removing unnecessary flags when delegating
- Other stuff?
Some possible options:
- Add extra flag error checking and allow possible confusion when user specifies combinations that are not compatible.
- Do we want to add new subcommands to handle the different flags that could then trigger different paths for the authn/authz setup? This would seem strange for an apiserver. Are there any other apiservers doing this?
- Two separate binaries for delegated vs standalone. Probably try to avoid this.
- Other options?
from cluster-registry.
perotinus
commented on August 14, 2024
This is now implemented and working as of #120.
from cluster-registry.
Related Issues (20)
- crinit aggregated init fail due to cannot create the clusterrole HOT 5
- crinit standalone init failed HOT 5
- Determine scoping of Cluster registry types HOT 5
- Determine name of 'public' namespace for globally accessible cluster records HOT 6
- `crinit standalone init mycr mycluster.icp-context` hang HOT 2
- Wrong cp command in the examples/samplecontainer/README.md HOT 1
- Follow-up tasks for CRD conversion HOT 4
- setting up cluster registry fails HOT 2
- How to deploy storage-provisioner HOT 1
- Where to get federation image HOT 2
- Upgrade kubebuilder to 0.1.12 HOT 1
- Link to YAML for CRD leads to 404 on website
- CRD definition is broken on kube 1.11.1 cluster HOT 6
- Add missing go tools. HOT 4
- kubefed2 join fails with gke clusters HOT 1
- Consider removing generated client HOT 4
- Re-generate client to make it compilable with 1.13 libraries HOT 10
- Support custom metadata per cluster HOT 4
- fix invalid links HOT 4
- Dead project? HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cluster-registry.