Skip to content

Commit 0dc108f

Browse files
scotwellsclaude
andcommitted
feat(federation): add minimal edge-scoped ClusterRole for cell write-back
The edge (cell) compute-manager authenticates to the hub Karmada control plane with a dedicated client-cert identity (system:compute-edge-federation@compute.datumapis.com) to write Instance status back for its cell. Grant it a new, least-privilege ClusterRole rather than the broad compute-manager role the management plane uses. The role is scoped to exactly what the cell InstanceReconciler's FederationClient does on the hub (Finalize + writeBackToUpstream): read the federation namespace, and create/update/delete its own Instance plus update its status. The cell uses a direct (non-caching) client, so no list/watch — and it never touches configmaps/secrets, workloaddeployments, or propagationpolicies on the hub. Bound to the identity by CN specifically, not the broad compute.datumapis.com group, so only this identity receives the edge role. Ships in the existing downstream-rbac kustomization so it applies to Karmada alongside the management role. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
1 parent c0e1792 commit 0dc108f

2 files changed

Lines changed: 47 additions & 0 deletions

File tree

Lines changed: 46 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,46 @@
1+
# Least-privilege federation access for the edge (cell) compute-manager on the
2+
# Karmada control plane. This is a NEW, dedicated ClusterRole — deliberately NOT
3+
# the broad compute-manager role above (which the management plane needs) —
4+
# scoped to exactly what the cell InstanceReconciler's FederationClient does on
5+
# the hub in Finalize + writeBackToUpstream (internal/controller/instance_controller.go):
6+
#
7+
# * Get the federation Namespace to resolve write-back identity labels.
8+
# * Get / Create / Update / Delete this cell's own write-back Instance.
9+
# * Update the write-back Instance's status.
10+
#
11+
# The cell uses a direct (non-caching) federation client, so no list/watch is
12+
# required, and it never touches configmaps/secrets, workloaddeployments, or
13+
# propagationpolicies on the hub.
14+
#
15+
# Bound to the dedicated edge identity by CN specifically — the client cert the
16+
# infra deployment control plane issues (CN
17+
# system:compute-edge-federation@compute.datumapis.com) — not to the broad
18+
# compute.datumapis.com group, so only this identity receives the edge role.
19+
---
20+
apiVersion: rbac.authorization.k8s.io/v1
21+
kind: ClusterRole
22+
metadata:
23+
name: compute-edge-federation
24+
rules:
25+
- apiGroups: [""]
26+
resources: ["namespaces"]
27+
verbs: ["get"]
28+
- apiGroups: ["compute.datumapis.com"]
29+
resources: ["instances"]
30+
verbs: ["get", "create", "update", "delete"]
31+
- apiGroups: ["compute.datumapis.com"]
32+
resources: ["instances/status"]
33+
verbs: ["update"]
34+
---
35+
apiVersion: rbac.authorization.k8s.io/v1
36+
kind: ClusterRoleBinding
37+
metadata:
38+
name: compute-edge-federation
39+
roleRef:
40+
apiGroup: rbac.authorization.k8s.io
41+
kind: ClusterRole
42+
name: compute-edge-federation
43+
subjects:
44+
- kind: User
45+
name: system:compute-edge-federation@compute.datumapis.com
46+
apiGroup: rbac.authorization.k8s.io

config/base/downstream-rbac/kustomization.yaml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3,3 +3,4 @@ kind: Kustomization
33

44
resources:
55
- rbac.yaml
6+
- edge-federation-rbac.yaml

0 commit comments

Comments
 (0)