Allow user to gets list of his tenants

Question

Allow user to gets list of his tenants

anatolychernov opened this issue a year ago · comments

Describe the feature

Add "/apis/capsule.clastix.io/v1beta2/tenants" filter which allows user to receives list of his tenants(e.g. kubectl get tenants).
Currently, it's difficult to implement this feature as a new module, because we should pass label selectors to Handle func.
If our tenants have only custom labels we won't be able to use their labels in label selectors.

Is it possible to implement this feature without using label selectors?
Maybe we can try to process this route ("/apis/capsule.clastix.io/v1beta2/tenants") in separate handler?

What would the new user story look like?

How would the new interaction with Capsule-Proxy look like?
Feel free to add a diagram if that helps explain things.

Expected behavior

User executes command 'kubectl get tenants' and receives list of his tenants.

anatolychernov · Answer 1 · Wed Nov 01 2023 18:44:45 GMT+0800 (China Standard Time)

If we make some changes in capsule which let capsule to adds some label when capsule creates tenant we will be able to add a module in capsule-proxy which would use this label when capsule calls 'labels.NewRequirement' func.

E.g., labels.NewRequirement("name", selection.In, tenantNames)

Oliver Bähler · Answer 2 · Wed Nov 22 2023 19:32:33 GMT+0800 (China Standard Time)

I would argue to add this feature is safe. What do you think @MaxFedotov @prometherion
If we accept this, I am wondering if we should add it to the Owners-ProxySettings (https://github.com/projectcapsule/capsule/blob/9a8736428821446d5eb6ec6e73edd7ea6b101b7f/api/v1beta2/owner.go#L44). Probably not because you would have to define it for each tenant. But maybe that's the use case for some people?

@anatolychernov Could you implement the feature?

Max Fedotov · Answer 3 · Wed Nov 22 2023 20:46:41 GMT+0800 (China Standard Time)

That's an interesting feature. From one POW if a user is a member of multiple tenants it may be quite beneficial for him to be able to list them. But from the other side, tenants hold a piece of a configuration inside, which cluster-admin may not want to expose to users.

So listing own tenants can be safe, but getting tenant spec should not be allowed by default

anatolychernov · Answer 4 · Wed Nov 29 2023 15:44:36 GMT+0800 (China Standard Time)

Hello,
I'll try to add a new route for processing tenants list.
As I can see MR projectcapsule/capsule#910 has been merged. If I understand I can use label key ("kubernetes.io/metadata.name") to make LabelSelector.

Could you clarify when a new capsule version with MR above will be released?

Oliver Bähler · Answer 5 · Wed Nov 29 2023 16:28:23 GMT+0800 (China Standard Time)

@anatolychernov it will take some time until we release 0.5.0, But in the meantime you can develop locally with the build from main. See the following documentation on how to get capsule running with a local kind cluster:

https://github.com/projectcapsule/capsule/blob/main/DEVELOPMENT.md

anatolychernov · Answer 6 · Wed Dec 06 2023 16:50:35 GMT+0800 (China Standard Time)

Hello,

I've created PR.

Oliver Bähler · Answer 7 · Wed Jan 24 2024 06:25:32 GMT+0800 (China Standard Time)

Implemented