Skip to content

Support RBAC controls on subresources #456

New issue
New issue
Open
Enhancement
Open
Support RBAC controls on subresources#456
Enhancement
Assignees
JoseSzycho
@scotwells

Description

@scotwells
scotwells
opened on Dec 15, 2025

Summary

Custom resources support subresources like Status that need separate RBAC permissions from the owning resource. Internal components are typically setup to update the status sub resource with the observed status of the resource. This means we need to control / prevent users from updating the status sub resource.

In the future, e.g. for Datum Connect, we will need to allow users to update the status subresource on some resources (e.g. Connector) so that clients they use can update the status of resources powered by the client.

Details

Thinking we'll add a new subresources field to the ProtectedResource custom resource that allows the user to configure the subresources available on the resource.

Example of a status subresource being configured on a resource:

apiVersion: iam.miloapis.com/v1alpha1
kind: ProtectedResource
...
spec:
  ...
  subresources:
    - status

The permissions in the system should follow the following format:

<service>/<resource>[/<subresource>].<permission>

This means a new status subresource being configured on a ProtectedResource should result in the following two permissions being made available:

networking.datumapis.com/httpproxies/status.get
networking.datumapis.com/httpproxies/status.update

OpenFGA integration

We need to make sure that the openfga authz webhook is updated to build the correct permission string when a status subresource is specified in the SubjectAccessReview request.

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

Enhancement

Projects

Eng - Datum 1.0

Status

Backlog

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions