Skip to content
This repository has been archived by the owner on Dec 6, 2024. It is now read-only.

Allow administrators to limit which Bucket(Access)Classes users can use #107

Open
BlaineEXE opened this issue Oct 31, 2024 · 1 comment
Open

Comments

@BlaineEXE
Copy link
Contributor

Admins should have a way to limit which BucketClasses and BucketAccessClasses that certain users (namespaces) can use.
This can be broken down into 2 parts:

  • basic access limits: limiting the allowed B(A)Classes on a per-namespace basis
  • quota limits: limiting the number of references any BClaim/BAccess can make in total or for particular B(A)Classes

The latest prior art in the Kube ecosystem is Pod Security Admission and Resource Quotas -- and of course RBAC

None of the above tools allow us to limit the references that are allowed in BClaims/BAccesses. However, admins can rely on Resource Quotas and RBAC to limit whether namespaces are allowed to create BClaims/BAccesses, and how many can be created. We should rely on existing mechanisms where possible, so we will not plan to implement tools for those limitations.

From our current understanding, there are no KEPs currently that are attempting to address broadly-applicable control of references. We could attempt to start such a KEP if we want to.

We may wish to implement a mechanism in COSI that will allow us to give administrators control over user consumption of COSI resources during COSI's early phases (right now). We should do our best to implement this mechanism in such a way that it can be easily replaced with a broadly-applicable implementation in the future.

Note 18 July 2024: approach sig-auth for suggestions about implementation/design

@BlaineEXE BlaineEXE converted this from a draft issue Oct 31, 2024
@BlaineEXE
Copy link
Contributor Author

sig-auth may have thoughts about how to do this

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant