Consult: what do we call the "subject" of a policy?
65 views
Skip to first unread message
Tim Hockin
Jan 24, 2022, 5:04:28 PM1/24/22
to kubernetes-api-reviewers
API reviewers.
Do we have a convention for "the thing a policy resource addresses" ?
For example, NetworkPolicy has PodSelector and makes it very
difficult to ever extend that. If you were reviewing a new policy-ish
API, what would you suggest for this? E.g. "subject", "target",
"appliesTo", ...
Tim
Do we have a convention for "the thing a policy resource addresses" ?
For example, NetworkPolicy has PodSelector and makes it very
difficult to ever extend that. If you were reviewing a new policy-ish
API, what would you suggest for this? E.g. "subject", "target",
"appliesTo", ...
Tim
Clayton Coleman
Jan 24, 2022, 5:11:19 PM1/24/22
to Tim Hockin, kubernetes-api-reviewers
Certainly “subject” is the default term for all of authn/z. Target
has felt more approachable in some apis (especially if there is a
“source”), and i will admit the rbac terms were more precisely geared
towards co-opting language widely used in access control literature,
so leveraging them elsewhere may lose some impact.
How general is this policy api? Maybe the more general and abstract,
the more likely it should use subject, but if you’re acting on a
resource either target or a domain specific noun would be better.
> On Jan 24, 2022, at 5:04 PM, 'Tim Hockin' via kubernetes-api-reviewers <kubernetes-a...@googlegroups.com> wrote:
> API reviewers.
> --
> You received this message because you are subscribed to the Google Groups "kubernetes-api-reviewers" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-api-rev...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/kubernetes-api-reviewers/CAO_RewZCSc3DGnrWiqmzYeVhWVQDGmy7r3KOOZ9LzNN-PURLBQ%40mail.gmail.com.
has felt more approachable in some apis (especially if there is a
“source”), and i will admit the rbac terms were more precisely geared
towards co-opting language widely used in access control literature,
so leveraging them elsewhere may lose some impact.
How general is this policy api? Maybe the more general and abstract,
the more likely it should use subject, but if you’re acting on a
resource either target or a domain specific noun would be better.
> On Jan 24, 2022, at 5:04 PM, 'Tim Hockin' via kubernetes-api-reviewers <kubernetes-a...@googlegroups.com> wrote:
> API reviewers.
> You received this message because you are subscribed to the Google Groups "kubernetes-api-reviewers" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-api-rev...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/kubernetes-api-reviewers/CAO_RewZCSc3DGnrWiqmzYeVhWVQDGmy7r3KOOZ9LzNN-PURLBQ%40mail.gmail.com.
Tim Hockin
Jan 24, 2022, 5:14:09 PM1/24/22
to Clayton Coleman, kubernetes-api-reviewers
It's networking, of course :) This is "the things affected by network
allow/deny rules".
"target" was my first gut feeling. This policy applies to both
ingress and egress so "source" and "destination" or "to" and "from"
are not ideal.
> To view this discussion on the web visit https://groups.google.com/d/msgid/kubernetes-api-reviewers/CAH16Sh%2B6-ye2q4a-_pxf6K_FyW9_GBuHWC%2BqfA4ubuG9jXR-7w%40mail.gmail.com.
allow/deny rules".
"target" was my first gut feeling. This policy applies to both
ingress and egress so "source" and "destination" or "to" and "from"
are not ideal.
Daniel Smith
Jan 24, 2022, 5:18:02 PM1/24/22
to Tim Hockin, Clayton Coleman, kubernetes-api-reviewers
I recommend never using "target" as a name, because in some contexts it's ambiguous enough to refer to either a source or a destination.
To view this discussion on the web visit https://groups.google.com/d/msgid/kubernetes-api-reviewers/CAO_RewYEJYnLPsn5FEOa0yJNfv6K%2BLN6BdzWu70q_3nGs_bFHg%40mail.gmail.com.
Clayton Coleman
Jan 24, 2022, 5:19:45 PM1/24/22
to Daniel Smith, Tim Hockin, kubernetes-api-reviewers
If this is egress/ingress, which are already confusing, i agree that the word should either capture an unambiguous direction.
On Jan 24, 2022, at 5:17 PM, Daniel Smith <dbs...@google.com> wrote:
Clayton Coleman
Jan 24, 2022, 5:20:56 PM1/24/22
to Daniel Smith, Tim Hockin, kubernetes-api-reviewers
If this is egress/ingress, which are already confusing, i agree that the word should either capture an unambiguous direction.
Typo! Unambiguous purpose (not direction).
Tim Hockin
Jan 24, 2022, 5:29:16 PM1/24/22
to Daniel Smith, Clayton Coleman, kubernetes-api-reviewers
So you'd prefer "subject" ? or "appliedTo"?
Clayton Coleman
Jan 26, 2022, 10:30:15 AM1/26/22
to Tim Hockin, Daniel Smith, kubernetes-api-reviewers
Heh, my non response was feeling like I still liked target better than those two, but Daniel had a good point. Subject does feel kind of weird in an ingress/egress sense (too generic?). AppliedTo falls into the "two word is worse than one trap especially with the generic 'to'" but I'm struggling to find suggestions.
Davanum Srinivas
Jan 26, 2022, 10:34:25 AM1/26/22
to Clayton Coleman, Tim Hockin, Daniel Smith, kubernetes-api-reviewers
FWIW, XACML uses "Target" i think.
To view this discussion on the web visit https://groups.google.com/d/msgid/kubernetes-api-reviewers/CAH16ShKvEHnW2nmgJy9gGXxkzr6St8jsF0y0L7JcKt0iKS%3Dv_A%40mail.gmail.com.
Davanum Srinivas :: https://twitter.com/dims
Daniel Smith
Jan 26, 2022, 12:48:28 PM1/26/22
to Davanum Srinivas, Clayton Coleman, Tim Hockin, kubernetes-api-reviewers
"actor", "requestor", "originator/origination", "source"?
Specifically "target" could mean "the policy's target" or "the source's target", which are often opposite things!
Reply all
Reply to author
Forward
0 new messages