RBAC in KUDO

12 views
Skip to first unread message

Michael Tanenbaum

unread,
Dec 13, 2019, 12:29:45 PM12/13/19
to kudob...@googlegroups.com, Justin LaMora, Corbin Pacheco, Zack Tembi
Please be aware that this is a public forum for open source KUDO community. Anything posted in this email thread will be publicly visible.

Hi KUDO Community!

We were recently speaking with an organization that is eager to author their own operators, as well as to leverage the extant community operators.

They had a few questions around RBAC in KUDO and how KUDO today and in the future would conform to their needs. Specifically:
  • Cluster users should be allowed to spin up KUDO Operators from a pre-defined catalog only.
  • Cluster users will not have admin privileges.
  • Cluster users should only be able to deploy to the namespace(s) to which they have permission to deploy resources.
What (if any) of these features are possible with KUDO today? Are any on the roadmap for future releases? I read the FAQ around RBAC, but I confess I wasn't able to discern the answers to the above questions.

Any guidance much appreciated!

Mike

--
Michael Tanenbaum
Senior Sales Engineer, D2iQ

Gerred Dillon

unread,
Dec 17, 2019, 1:43:25 PM12/17/19
to kudobuilder
Hi Michael! Sorry for the delayed response.

1. "only" is fairly strict, but KUDO clients can set which repos they are accessing. Since KUDO installations are currently client side, there's no protecting against that. Kubernetes admins who want to limit it will want to set up RBAC around OperatorVersion creation, and have admins curate that (an instance can be created as long as there's an OV to match)
2. This is normal Kubernetes RBAC and KUDO doesn't do anything to override that.
3. Same as 2.

Michael Tanenbaum

unread,
Dec 17, 2019, 1:46:40 PM12/17/19
to Gerred Dillon, kudobuilder, Justin LaMora, Corbin Pacheco, Zack Tembi
Awesome! Thanks for confirming, Gerred!

--
You received this message because you are subscribed to the Google Groups "kudobuilder" group.
To unsubscribe from this group and stop receiving emails from it, send an email to kudobuilder...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/kudobuilder/417661e9-f243-4316-bd17-57be9b1dd444%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages