Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow to grant a k8s role binding on a service account #52

Open
2 tasks
jlevesy opened this issue Sep 15, 2022 · 0 comments
Open
2 tasks

Allow to grant a k8s role binding on a service account #52

jlevesy opened this issue Sep 15, 2022 · 0 comments
Labels
area/controller kind/task status/accepted

Comments

@jlevesy
Copy link
Owner

jlevesy commented Sep 15, 2022

What needs to be done?

A cool feature would be to define a potential grantee in an escalation grant directly, for example in the K8sRoleBinding grant we could write something like this

# some-policy.yaml
target:
   grants:
    - kind: KubernetesRoleBinding
      defaultNamespace: some-app
      allowedNamespaces:
        - some-app
        - some-other-app
      grantee:  # <- this !
        kind: ServiceAccount
        name: super-app
      roleRef:
        kind: ClusterRole
        name: config-viewer
        apiGroup: rbac.authorization.k8s.io

In that case, kudo will create the role binding not for the requestor, but for the grantee defined by the policy in the namespace picked by the policy.

This could open up a bunch of cool use cases like granting temporarily more permissions to a workload.

Kudos to @dduportal for the idead 🎉

Acceptance Criteria

  • Kudo allows granting permissions to a third party grantee defined in policy
  • an e2e test has been written to prove this
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/controller kind/task status/accepted
Projects
Kudo
Status: Backlog
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jlevesy