APPUiO Control API Architecture
- Kubernetes API
The Control API is built upon the Kubernetes API and adheres to it’s design principles.
- API object field:
statusfield (also called "Status subresource") represents the current observed state and external information. It is read-only to the end-user.
- API object field:
specfield contains the desired state for reconciliation.
Some resources are not persisted to etcd and are only available virtually, others are persisted to etcd and are defined and represented via
Virtual resources are accessible via an API Server Extension.
These resources are similar to views in a relational database.
The benefit of providing these resources instead of only using CRDs is that we can calculate access permissions dynamically for every request.
The same concept is also used by OpenShift with its
Project resource which represents RBAC filtered
Namespaces (see kube-projects).
And we can also find it in Kiosk for example.
Authentication against the API server is done by the APPUiO IdP. It’s always the same subject (user) which is being used throughout the whole APPUiO Cloud ecosystem.
For authorization, standard Kubernetes RBAC is being used. Kyverno policies can be used to implement enhanced policies, for example the number of resources of a specified kind a user is allowed to create.
There are several layers of authorization:
Virtual resources with filtering
Resources on the Kubernetes API server can either be cluster scoped or namespace scoped.
Each APPUiO Control API instance is represented by one Kubernetes API server instance. This allows us to leverage the scoping concept of the Kubernetes API server to reflect the scopes in the APPUiO Cloud domain. Also, by doing it that way, standard Kubernetes RBAC rules can be used for permission handling on an organization level.
APPUiO Cloud Global resources are available on the Kubernetes global scope (no namespace) whereas organization level resources are namespace scoped.
Kubernetes cluster global resource.
Kubernetes namespaced resource.