-
Notifications
You must be signed in to change notification settings - Fork 152
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Introduce a new CARM config map with support for teamIDs
and service level isolation
#155
Conversation
Skipping CI for Draft Pull Request. |
cfef973
to
447c4bb
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks Tibi! I left a few thoughts in line
pkg/featuregate/features.go
Outdated
const ( | ||
// FeatureCARMv2 is the name of the CARMv2 feature. | ||
FeatureCARMv2 = "CARMv2" | ||
) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
open question, is there a better name for this feature? to me this sounds like something a bit wide than what CARM does today.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it's common knowledge that naming stuff is the hardest part of programming 😆 , I don't have any better suggestions
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hahaha, oh yeah this one is tricky let's leave it until the end :)
pkg/runtime/cache/cache.go
Outdated
// The prefix for owner account ID in the v2 CARM map. | ||
OwnerAccountIDPrefix = "owner-account-id." | ||
|
||
// The prefix for owner team ID in the v2 CARM map. | ||
TeamIDPrefix = "team-id." |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
QQ: are we assuming that users will populate the configmap with something like team-id.abc
and owner-account-id.012345678912
? trying to understand the liaison with aws-controllers-k8s/community#2031
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yeah, and in addition, with something like s3.team-id.abc
or s3.owner-account-id.0123456789012
. I've left an example in the PR description.
I'm happy to reconsider UX, but I thought it more or less aligns with the original ticket.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
IMO the format should exactly be s3.abc
or s3.012345678912
- adding team-id
or owner-account-id
makes things a little unusual. However mind proposing this new format in the Github issue? maybe i'm wrong and ACK users would like to have it this way :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think I like your approach better, as long as the teamIDs and accountIDs are easily distinguishable, and they most likely are, the labels are redundant. I left these labels intentionally as they were part of the original PR and thought they were discussed about after the original proposal.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
// to succeed, the AWS IAM Role that the ACK service controller runs as needs | ||
// to have the ability to call the AWS STS::AssumeRole API call and assume an | ||
// IAM Role in the target AWS Account. | ||
AnnotationTeamID = AnnotationPrefix + "team-id" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thoughts: the more I think about this, the more I think maybe this should just be a role-arn
.. looks like every team-id is just a RoleARN at the end of the day?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree with that, it's just a roleARN
per annotated namespace, right? The whole teamID
and ownerAccountID
notations are just syntactic sugar, but I assume it makes it easier for the user when reasoning who should have which permissions? 🤔
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
but I assume it makes it easier for the user when reasoning who should have which permissions? 🤔
You convinced me with this one.. it makes sense to reason that a team have a role...
291d2df
to
59c445a
Compare
pkg/featuregate/features.go
Outdated
@@ -16,11 +16,16 @@ | |||
// optionally overridden. | |||
package featuregate | |||
|
|||
const ( | |||
// FeatureCARMv2 is the name of the CARMv2 feature. | |||
FeatureCARMv2 = "CARMv2" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit:
FeatureCARMv2 = "CARMv2" | |
CARMv2 = "CARMv2" |
I'm thinking about reducing the verbosity when reusing this variable in r.cfg.FeatureGates.IsEnabled
r.cfg.FeatureGates.IsEnabled(featuregate.CARMv2)
Thoughts?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
sure 👍🏻
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
88a1c3f
to
2d1b192
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Super neat, thanks a lot @TiberiuGC 🙇
/lgtm
/lgtm cancel |
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: TiberiuGC The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Issue #, if available: aws-controllers-k8s/community#2031
Description of changes:
OR
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.