Skip to content

feature: allow RBAC bootstrapping for user identities in Kubeconfigs #49

New issue
New issue
Open
Open
feature: allow RBAC bootstrapping for user identities in Kubeconfigs#49
Labels
kind/featureCategorizes issue or PR as related to a new feature.
@embik

Description

@embik
embik
opened on Jun 12, 2025

Feature Description

Bootstrapping a new kcp instance with kcp-operator is still a bit of a frustrating experience, because you can create Kubeconfig objects, but unless they encode a privileged group like system:masters, the resulting kubeconfig is unable to access kcp.

We should allow bootstrapping basic ClusterRoleBindings into a target workspace (mostly root, I suppose) for identities managed by Kubeconfigs so that you can gain access to the kcp instance and go from there (e.g. wire it up to a git repository holding all your authZ configuration).

Proposed Solution

Extend the Kubeconfig CRD. It could look like this:

spec:
  authorization:
    clusterRoleBindings:
      workspacePath: "root"
      clusterRoles:
        - "cluster-admin"

workspacePath is the target workspace (identified by colon-separated path) and clusterRoles is the list of target ClusterRoles in the workspace that ClusterRoleBindings should be created for.

Alternative Solutions

No response

Want to contribute?

  • I would like to work on this issue.

Additional Context

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    kind/featureCategorizes issue or PR as related to a new feature.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions