Support wildcards in additionalrolebindings section of Tenant specification #863
Comments
|
Thanks for the feature proposal. Unfortunately, this is not feasible since Kubernetes itself doesn't support RBAC. Furthermore, a wildcard introduces potential issues from a security standpoint. If you can elaborate a bit more your use-case as well as your struggles, by adding a detailed user-story, we can definitely try to understand if it can potentially fit into the Capsule area. |
prometherion
added
needs-discussion
|
@prometherion One Use-Case which is interesting, would be allowing to have wildcards in respected userGroups in the capsuleConfiguration. But we should probably stick to the native xperience. |
That was the Capsule aim from day one: with all due respect to the feature request, which are always welcome, it seems to me a workaround to a different problem that should be addressed in a different scope. |
Describe the feature
additionalrolebindings section of Tenant specification needs an exact user. It does not support wildcard for user.
What would the new user story look like?
Support wildcards in additionalrolebindings section of Tenant specification
How would the new interaction with Capsule look like? E.g.
We are using Capsule on EKS. While defining tenant, we would like to assign additional roles to a group of users which can be achieved by wildcard instead of listing all of them in the specification.
Existing specification
spec:
owners:
kind: User
additionalRoleBindings:
subjects:
kind: User
name: EKS-User:<<aws_account_id>>:user_1
Feel free to add a diagram if that helps explain things.
Expected behavior
Support wildcards in the users section of additionalrolebindings to support large team.
spec:
owners:
kind: User
additionalRoleBindings:
subjects:
kind: User
name: EKS-User:<<aws_account_id>>:user_* (wildcard)
The text was updated successfully, but these errors were encountered: