Reedback requested: Fine grained roles for VirtualMachines

[Michael Henriksen]

Hi All,

I've been researching ways to grant users permission to modify only specific parts of a VirtualMachine definition, such as adding or removing disks, without giving them full editing privileges.

I've developed a POC to demonstrate my suggested approach to the problem, which you can find at [1]. I would greatly appreciate the community's feedback on this.

Primarily, I'm interested in knowing if this is a topic we should explore further. Is the "update virtualmachines" RBAC too broad for your organization's needs? What specific roles or granular permissions would you find useful in your workflows? If there is sufficient interest, I will initiate the VEP process.

Best regards,

Mike

[1] https://github.com/mhenriks/kubevirt-rbac-webhook

[Felix Matouschek]

Hi Michael,

that is an interesting topic.

I got feedback that a more restrictive way of creating VMs could be useful, i.e. allowing to create VMs only from pre-defined templates.

We're trying to address this in VEP 76 by adding a subresource API for creating VMs from templates, so RBAC can be used to restrict creating VMs only from templates.

It is unclear how this could be integrated, but I think it could be related to your work.

Thanks,

Felix

--
You received this message because you are subscribed to the Google Groups "kubevirt-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to kubevirt-dev...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/kubevirt-dev/CAF0u-njR7SLLaqUirztJrnDLbLS2HBN2JDH9CGLUPoToUJANSw%40mail.gmail.com.