How can users manage permissions to Kubernetes resources at scale

[varbanv]

Users need to manage a large number of access controls across a number of teams.
Currently only the cluster-admin has access to all current and future resources for a cluster.
Users would like to manage a set of roles that are know and updated based on new access controls made available over time due to new modules or kubernetes features.

Sub-problems:

• How to discover the necessary access to use the new XYZ module?
• How to see/audit existing access?
• How to setup and maintain a role for a specific use case?

Proposals:

• Update existing roles defined by Kubernetes.
• Use a service by SAP as source of truth and sync the settings to the cluster.
• Look at Rancher, Openshift, or Linux as examples.
• Have templates that users can apply to grant access for pre-defined use cases.
• Have a access control view/functionality in Busola/CLI to reduce the management complexity.
• Allow the configuration of OIDC groups and create corresponding RBACs on SKR for them kyma-infrastructure-manager#1109

Implementation

According to the decision record all Kyma modules should implement RBAC aggregation to view and edit roles. Tasks:

• api-gateway
• application-connector-manager
• btp-manager
• cloud-manager
• docker-registry
• eventing-manager
• istio
• keda-manager
• nats-manager
• registry-cache
• serverless
• registry-proxy
• telemetry-manager

[pbochynski]

Decision record: kyma-project/community#1014

[tobiscr]

See also request about additional configuration options for cluster-admin from @ptesny : #internal-backlog/7512