ReferenceGrant KEP

[Rob Scott]

Hey Everyone,

I'd like to introduce a KEP that proposes moving ReferenceGrant to a sig-auth API group, and potentially also moving it from a CRD to an upstream API. This is something we've discussed at previous sig-auth meetings (Sep 28, 2022, and Sep 15, 2021), but I'd like to get some kind of confirmation on this mailing list that this is a reasonable idea to explore before actually writing up the KEP.

For context, this is a resource that was created within Gateway API to enable 2 specific kinds cross-namespace references:

1. Gateway -> TLS Cert Secret 

2. Route -> Backend (usually Service)

This pattern ended up being useful beyond Gateway API, and the same resource is now also used by sig-storage to enable cross-namespace data sources. As part of that, we're trying to find a neutral home for this resource to live, and sig-auth seems like the most natural place. Would it make sense to start a KEP to explore this in more detail?

Thanks!

Rob

[Clayton]

I would certainly like us to endorse a relatively consistent pattern for this problem, and experience in CRD in a domain is a good precursor to such an endorsement.  I won’t speak for sig-auth, but it does feel like a good sponsor.  sig-arch certainly could do more to help strengthen our patterns language in concert with sigs too.

On Jan 18, 2023, at 1:13 PM, 'Rob Scott' via kubernetes-sig-auth <kubernete...@googlegroups.com> wrote:



--
You received this message because you are subscribed to the Google Groups "kubernetes-sig-auth" group.
To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-sig-...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/kubernetes-sig-auth/CAGY4dkmLmORDn%3Dt1Q02cNnMEYdfdXmP75PqwarBNDfUGaurqxQ%40mail.gmail.com.

[Davanum Srinivas]

+1 cc'ing sig-arch mailing list

To view this discussion on the web visit https://groups.google.com/d/msgid/kubernetes-sig-auth/A81184DD-4684-4C1B-AC05-A7C614C78A95%40gmail.com.

--

Davanum Srinivas :: https://twitter.com/dims

[Jordan Liggitt]

xref earlier discussions in sig-auth on 2022-09-28 and 2021-09-15

I'd be amenable to a KEP. A consistent way to model this interaction seems useful, and if there are built-in authorization implications to the API, sig-auth seems a natural home. There were a few additional questions in the 2022-09-28 meeting (where I think we ran out of time) that would be good to think through.

Since this would rely on the actuating controllers to opt into checking the grants, making it easy to do that correctly and hard to do incorrectly seems like a key part of the design, even going as far as a library controllers can plug in types/namespaces to and use to make queries to get consistent and desired behavior.

You received this message because you are subscribed to the Google Groups "kubernetes-sig-architecture" group.
To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-sig-arch...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/kubernetes-sig-architecture/CANw6fcH3bGuY203QCHhKBo5E99wxW-ZiEyTa-j2hJHcmf9oeqA%40mail.gmail.com.

[Michelle Au]

+1 from sig-storage. We would like to use leverage the same pattern and having a common library will help with consistency and correctness. Rob, let us know if you want to collaborate on the KEP.

[Michelle Au]

(reposting as my previous message only went to sig-auth)

+1 from sig-storage. We would like to leverage the same pattern and having a common library will help with consistency and correctness. Rob, let us know if you want to collaborate on the KEP.

To view this discussion on the web visit https://groups.google.com/d/msgid/kubernetes-sig-architecture/CAMBP-pLjTn%3Ddfi44oaoyB%2B1K%2BJyYZcW2mjV6UbbknhPsaGtHSA%40mail.gmail.com.

[Nick Young]

I've worked with Rob on this a lot for Gateway API, and I'd love to see this pattern go wider, so I'm also in for working on the KEP.

Nick

[Rob Scott]

Thanks everyone for the great feedback! Nick and I have started a KEP PR here: https://github.com/kubernetes/enhancements/pull/3767. Hoping to respond to initial feedback later today, but of course any additional feedback is always appreciated.