Allow administrators to limit which Bucket(Access)Classes users can use #107
Description
Admins should have a way to limit which BucketClasses and BucketAccessClasses that certain users (namespaces) can use.
This can be broken down into 2 parts:
- basic access limits: limiting the allowed B(A)Classes on a per-namespace basis
- quota limits: limiting the number of references any BClaim/BAccess can make in total or for particular B(A)Classes
The latest prior art in the Kube ecosystem is Pod Security Admission and Resource Quotas -- and of course RBAC
None of the above tools allow us to limit the references that are allowed in BClaims/BAccesses. However, admins can rely on Resource Quotas and RBAC to limit whether namespaces are allowed to create BClaims/BAccesses, and how many can be created. We should rely on existing mechanisms where possible, so we will not plan to implement tools for those limitations.
From our current understanding, there are no KEPs currently that are attempting to address broadly-applicable control of references. We could attempt to start such a KEP if we want to.
We may wish to implement a mechanism in COSI that will allow us to give administrators control over user consumption of COSI resources during COSI's early phases (right now). We should do our best to implement this mechanism in such a way that it can be easily replaced with a broadly-applicable implementation in the future.
Note 18 July 2024: approach sig-auth for suggestions about implementation/design