docs: add namespace isolation design and promote security hardening to ADR#62
Conversation
…o ADR - Add namespace-isolation-design.md: two-namespace architecture for safe Kubernetes API access using Dev Sandbox SpaceRequest API - Promote security hardening proposals to ADR-0001, distilling decisions and rationale from 5 proposal files into one record - Delete original proposal files (design, questions, impl-questions, credential-examples, sketch) - Mark Phase 3 (kubernetes credential type) as deferred, referencing the namespace isolation design - Fix whitespace alignment in PROJECT_VISION.md Signed-off-by: Alexey Kazakov <alkazako@redhat.com> Made-with: Cursor
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Plus Run ID: 📒 Files selected for processing (8)
💤 Files with no reviewable changes (5)
WalkthroughDocumentation reorganization consolidates security hardening specifications for the Claw Operator. Multiple exploratory proposal documents are removed and superseded by a formal ADR and comprehensive namespace isolation design proposal. A minor spacing adjustment is applied to the project vision diagram. Changes
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~25 minutes 🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
| Separate the security infrastructure from the user's workspace using a dedicated `-claw` namespace: | ||
|
|
||
| ``` | ||
| alice-dev (user's workspace, unchanged) alice-{uid}-claw (new, Claw system) |
There was a problem hiding this comment.
why alice-{uid}-claw and not just alice-claw?
There was a problem hiding this comment.
This is how SR controller works. I guess we needed it to make sure the ns name is unique
|
|
||
| ``` | ||
| alice-dev (user's workspace, unchanged) alice-{uid}-claw (new, Claw system) | ||
| ├── user's deployments ├── claw (gateway pod) |
There was a problem hiding this comment.
I assume that the alice-{uid}-claw ns will also contain a secret with the token for the Assistant SA that exists in the alive-dev ns? (just saying that the diagram could include it)
There was a problem hiding this comment.
Yeah, it's in a different diagram in the doc:
Dashboard sees SpaceRequest Ready=True:
...
- Creates assistant SA kubeconfig Secret in the -claw namespace
| - apiGroups: [""] | ||
| resources: ["events"] | ||
| verbs: ["get", "list", "watch"] | ||
| # View Route to find the URL |
There was a problem hiding this comment.
the user may want to see the Service and ConfigMaps as well
| #### ns_claw.yaml — NetworkPolicies | ||
|
|
||
| Includes: | ||
| - **Sandbox-standard ingress policies**: `allow-from-openshift-ingress`, `allow-from-openshift-monitoring`, `allow-from-console-namespaces`, etc. (same as `-dev`) |
There was a problem hiding this comment.
I don't think we need allow-from-openshift-monitoring for users' deployments of Claw
|
|
||
| --- | ||
|
|
||
| ## Implementation: SpaceRequest API |
There was a problem hiding this comment.
I'm confused with the SpaceRequest API here: can't we have a Tier with 2 namespaces in case the user signs up for Claw on sandbox.redhat.com?
2 participants
Summary by CodeRabbit
Documentation