Hello team,
We are working hard to move Origin authorization policies over to
Kubernetes RBAC in 3.7.
We already have a synchronization controller in 3.6 that converts
policies to RBAC objects. In 3.7 we are going to stop storing origin
policies and only use RBAC objects. Furthermore, we will replace the
origin authorizer with k8s authorizer which only respects RBAC objects.
This has a few consequences though, and we are seeking some input.
Because of the way Origin policies were built we cannot maintain shim
APIs for all of them. We have proxy APIs that handle all direct
{cluster}role{binding}s APIs, but the APIs that exposed directly the
whole policy object are going to disappear (as we do not have such
object anymore in the database).
In 3.6 we changed all command line tools to use the correct API to deal
with roles and bindings so that they won't break once we shut down
origin policies for good. However older (< 3.6) clients will fail to
perform some operations against a 3.7 cluster due to this change, as
some of them used to modify the policy objects directly instead of
using
the {cluster}role{binding}s APIs. Some of our Ansible tooling targets
these endpoints directly as well.
Also we'd like to kill or version gate the "oc adm override-policy"
command that allows wholesale replacement of policies by directly
overwriting ETCD. This command does not make sense in 3.7 as the
storage
layout is different since we will store many small RBAC objects instead
of giant policy objects. Furthermore, a cluster admin can restore
access
to a server with a broken policy configuration using a cert based user
in the "system:masters" group (this group is always allowed to perform
any action). Thus that command is not strictly needed any more to fix a
cluster and is not useful in most situations.
We are seeking input and opinions on how to properly phase out origin
policies, our goal is to minimize the amount of code we need to keep
around while maintaining the strongest backwards compatibility.
Simo & Security Team
--
Simo Sorce
Sr. Principal Software Engineer
Red Hat, Inc
_______________________________________________
dev mailing list
[email protected]
http://lists.openshift.redhat.com/openshiftmm/listinfo/dev
