You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Kostiantyn Ovchynnykov
Tuesday at 6:26 AM
hello team!
I'm a bit confused with "credential" part of k0rdent architecture here: https://docs.k0rdent.io/v0.1.0/k0rdent-architecture/#credentials
it says that Developers reference the Credential object, which gives the cluster the ability to access these credentials (little "c") without having to expose them to developers directly.
but in case of Openstack being used (not familiar with other cloud providers) credential information will be available on the child cluster in the openstack-cloud-config secret in the kube-system namespace. Thus the person created CLD and able to obtain admin kubeconfig for the child cluster will be able to fetch credential info from the child cluster.
docs.k0rdent.io k0rdent architecture - Documentation
Documentation for k0rdent.
Bharath Nallapeta
Tuesday at 6:44 AM
the credentials in the child cluster that is in kube-system namespace isn't accessible to everyone. The roles they are talking about is distinct.
mothership cluster - admin/lead/platform engineer
child cluster - developer
the platform engineer will decide RBAC for the developer in the child cluster. And typically, a developer isn't expected to have access to the kube-system namespace.
➕
1
Kostiantyn Ovchynnykov Tuesday at 6:46 AM
the idea was "if developer can create cld - it can get admin kubecconfig for the child cluster (or how it should be accessed by dev?) - with admin creds developer is able to see the secret" 6:47
so it should be platform engineer who creates child cluster and not developer then?
💯
1
William Konitzer Tuesday at 10:58 AM @kovchynnykov
RBAC is k0rdent isn't well defined.. I can't work out how you can assign teams to a cluster and how to group clusters.
Kostiantyn Ovchynnykov
Tuesday at 6:26 AM
hello team!
I'm a bit confused with "credential" part of k0rdent architecture here: https://docs.k0rdent.io/v0.1.0/k0rdent-architecture/#credentials
it says that Developers reference the Credential object, which gives the cluster the ability to access these credentials (little "c") without having to expose them to developers directly.
but in case of Openstack being used (not familiar with other cloud providers) credential information will be available on the child cluster in the openstack-cloud-config secret in the kube-system namespace. Thus the person created CLD and able to obtain admin kubeconfig for the child cluster will be able to fetch credential info from the child cluster.
docs.k0rdent.io
k0rdent architecture - Documentation
Documentation for k0rdent.
Serhii Ivanov
🏡 Tuesday at 6:44 AM
kubernetes-sigs/cluster-api-provider-openstack#2386
Bharath Nallapeta
Tuesday at 6:44 AM
the credentials in the child cluster that is in kube-system namespace isn't accessible to everyone. The roles they are talking about is distinct.
mothership cluster - admin/lead/platform engineer
child cluster - developer
the platform engineer will decide RBAC for the developer in the child cluster. And typically, a developer isn't expected to have access to the kube-system namespace.
➕
1
Kostiantyn Ovchynnykov
Tuesday at 6:46 AM
the idea was "if developer can create cld - it can get admin kubecconfig for the child cluster (or how it should be accessed by dev?) - with admin creds developer is able to see the secret"
6:47
so it should be platform engineer who creates child cluster and not developer then?
💯
1
Serhii Ivanov
🏡 Tuesday at 6:47 AM
developer with admin creds is admin
you have a security missconfig
Bharath Nallapeta
Tuesday at 6:48 AM
perhaps this will help - https://docs.k0rdent.io/v0.1.0/admin-rbac/
docs.k0rdent.io
k0rdent Role Based Access Control (RBAC) - Documentation
Documentation for k0rdent.
6:50
we are working on a detailed blog on RBAC which deep dives into the questions you have asked + OIDC too.
We will publish that soon-ish
👍
1
William Konitzer
Tuesday at 10:58 AM
@kovchynnykov
RBAC is k0rdent isn't well defined.. I can't work out how you can assign teams to a cluster and how to group clusters.
Serhii Ivanov
🏡 Tuesday at 12:41 PM
https://miracloud.slack.com/archives/C075Z4V0TA5/p1738666778738879
Serhii Ivanov
@2a-dev Please take a look at RBAC related bug (?) k0rdent/kcm#1033
Thread in k0rdent-dev | Feb 4th | View message
https://miracloud.slack.com/archives/C07SWMW1XSS/p1739273185493249
The text was updated successfully, but these errors were encountered: