You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
@@ -706,10 +706,10 @@ with the requisite parameters and receive a new JWT token to use with `STS::Assu
706
706
707
707
### Controller Changes
708
708
709
-
* If identityRef is specified, the CRD is fetched and unmarshalled into a AWS SDK credential.Provider for the principal type.
709
+
* If identityRef is specified, the CRD is fetched and unmarshalled into a AWS SDK credential.Provider for the identity type.
710
710
* The controller will compare the hash of the credential provider against the same secret’s provider in a cache ([NFR 8](#NFR8)).
711
711
* The controller will take the newer of the two and instantiate AWSClients with the selected credential provider.
712
-
* The controller will set an the principal resource as one of the OwnerReferences of the AWSCluster.
712
+
* The controller will set an the identity resource as one of the OwnerReferences of the AWSCluster.
713
713
* The controller and defaulting webhook will default `nil``identityRef` field in AWSClusters to `AWSClusterControllerIdentity`.
714
714
715
715
This flow is shown below:
@@ -721,20 +721,20 @@ This flow is shown below:
721
721
Today, `clusterctl move` operates by tracking objectreferences within the same namespace, since we are now proposing to
722
722
use cluster-scoped resources, we will need to add requisite support to clusterctl's object graph to track ownerReferences
723
723
pointing at cluster-scoped resources, and ensure they are moved. We will naively not delete cluster-scoped resources
724
-
during a move, as they maybe referenced across namespaces. Because we will be tracking the AWS Account ID for a given principal, it is expected, that for this proposal, this provides sufficient protection against the possibility of a cluster-scoped
725
-
principal after one move, and being copied again.
724
+
during a move, as they maybe referenced across namespaces. Because we will be tracking the AWS Account ID for a given identity, it is expected, that for this proposal, this provides sufficient protection against the possibility of a cluster-scoped
725
+
identity after one move, and being copied again.
726
726
727
727
728
728
#### Validating webhook changes
729
729
730
730
A validating webhook could potentially handle some of the cross-resource validation necessary for the [security
731
731
model](#security-model) and provide more immediate feedback to end users. However, it would be imperfect. For example, a
732
-
change to a `AWSCluster*Principal` could affect the validity of corresponding AWSCluster.
732
+
change to a `AWSCluster*Identity` could affect the validity of corresponding AWSCluster.
733
733
The singleton `AWSClusterControllerIdentity` resource will be immutable to avoid any unwanted overrides to the allowed namespaces, especially during upgrading clusters.
734
734
735
-
#### Principal Type Credential Provider Behaviour
735
+
#### Identity Type Credential Provider Behaviour
736
736
737
-
Implementations for all principal types will implement the `credentials.Provider` interface in the AWS SDK to support [FR5](#FR5) as well as an
737
+
Implementations for all identity types will implement the `credentials.Provider` interface in the AWS SDK to support [FR5](#FR5) as well as an
738
738
additional function signature to support caching:
739
739
740
740
```go
@@ -748,10 +748,10 @@ type Provider interface {
748
748
IsExpired() bool
749
749
}
750
750
751
-
typeAWSPrincipalTypeProviderinterface {
751
+
typeAWSIdentityTypeProviderinterface {
752
752
credentials.Provider
753
753
// Hash returns a unique hash of the data forming the credentials
754
-
// for this principal
754
+
// for this identity
755
755
Hash() (string, error)
756
756
}
757
757
```
@@ -771,7 +771,7 @@ forcing a refresh.
771
771
772
772
The authors have implemented a similar mechanism [based on the Ruby AWS SDK][aws-assume-role].
773
773
774
-
This could be further optimised by having the controller maintain a watch on all Secrets matching the principal types.
774
+
This could be further optimised by having the controller maintain a watch on all Secrets matching the identity types.
775
775
Upon receiving an update event, the controller will update lookup the key in the cache and update the relevant provider.
776
776
This may be implemented as its own interface. Mutexes will ensure in-flight updates are completed prior to SDK calls are
777
777
made. This would require changes to RBAC, and maintaining a watch on secrets of a specific type will require further
@@ -805,11 +805,11 @@ defined above. In most cases, it will be desirable to have all resources be
805
805
readable by most roles, so instead we'll focus on write access for this model.
806
806
807
807
##### Write Permissions
808
-
| | AWSCluster*Principal | AWSServiceAccountPrincipal | AWS IAM API | Cluster |
| Workload Cluster Operator | No | Yes | No | Yes |
813
813
814
814
Because Kubernetes service accounts necessarily encode the namespace into the JWT subject, we can allow workload cluster
815
815
operators to create their own `AWSServiceAccountIdentities`. Whether they have actual permissions on AWS IAM to set up
@@ -821,11 +821,11 @@ The extra configuration options are not possible to control with RBAC. Instead,
821
821
they will be controlled with configuration fields on GatewayClasses:
822
822
823
823
* **allowedNamespaces**: This field is a selector of namespaces that
824
-
Gateways can use this `AWSCluster*Principal` from. This is a standard Kubernetes
824
+
Gateways can use this `AWSCluster*Identity` from. This is a standard Kubernetes
825
825
LabelSelector, a label query over a set of resources. The result of
826
826
matchLabels and matchExpressions are ANDed. CAPA will not support
827
827
AWSClusters in namespaces outside this selector. An empty selector (default)
828
-
indicates that AWSCluster can use this `AWSCluster*Principal` from any namespace. This
828
+
indicates that AWSCluster can use this `AWSCluster*Identity` from any namespace. This
829
829
field is intentionally not a pointer because the nil behavior (no namespaces)
830
830
is undesirable here.
831
831
@@ -834,10 +834,10 @@ they will be controlled with configuration fields on GatewayClasses:
834
834
The CAPA controller will need to:
835
835
836
836
* Populate condition fields on AWSClusters and indicate if it is
837
-
compatible with `AWS*Principal`.
838
-
* Not implement invalid configuration. Fore example, if a `AWSCluster*Principal` is referenced in
837
+
compatible with `AWS*Identity`.
838
+
* Not implement invalid configuration. Fore example, if a `AWSCluster*Identity` is referenced in
839
839
an invalid namespace for it, it should be ignored.
840
-
* Respond to changes in `AWS*Principal` configuration that may change.
840
+
* Respond to changes in `AWS*Identity` configuration that may change.
841
841
842
842
### Alternative Approaches Considered
843
843
@@ -862,13 +862,13 @@ API server KMS.
862
862
863
863
**Downsides**
864
864
865
-
By allowing workload cluster operators to create the various principals, or referencing them directly in the
865
+
By allowing workload cluster operators to create the various identitys, or referencing them directly in the
866
866
AWSCluster as a field they could potentially escalate privilege when assuming role across AWS accounts as the CAPA
867
867
controller itself may be running with privileged trust.
868
868
869
-
#### 1:1 mapping one namespace to one AWSPrincipal
869
+
#### 1:1 mapping one namespace to one AWSIdentity
870
870
871
-
The mapping of a singular AWSPrincipal to a single namespace such that there is a 1:1 mapping
871
+
The mapping of a singular AWSIdentity to a single namespace such that there is a 1:1 mapping
872
872
was considered, via either some implicitly named secret or other metadata on the namespace.
873
873
874
874
**Benefits**
@@ -923,7 +923,7 @@ The data changes are additive and optional, except `AWSClusterControllerIdentity
923
923
`AWSClusterControllerIdentity` singleton instance restricts the usage of controller credentials only from `allowedNamespaces`.
924
924
AWSClusters that do not have an assigned `IdentityRef` is defaulted to use `AWSClusterControllerIdentity`, hence existing clusters needs to have
925
925
`AWSClusterControllerIdentity` instance. In order to make existing AWSClusters to continue to reconcile as before, a new controller is added as experimental feature
926
-
and gated with **Feature gate:** AutoControllerPrincipalCreator=true. By default, this feature is enabled. This controller creates `AWSClusterControllerIdentity` singleton instance (if missing) that allows all namespaces to use the principal.
926
+
and gated with **Feature gate:** AutoControllerIdentityCreator=true. By default, this feature is enabled. This controller creates `AWSClusterControllerIdentity` singleton instance (if missing) that allows all namespaces to use the identity.
927
927
During v1alpha4 releases, since breaking changes will be allowed, this feature will become obsolete.
0 commit comments