Skip to content

Latest commit

 

History

History
65 lines (58 loc) · 1.75 KB

README.md

File metadata and controls

65 lines (58 loc) · 1.75 KB

ODH Platform

Usage

General flow diagram:

graph TD
A[ODH Operator] -->|Creates| B[ConfigMap]
B -->|Defines| C[Protected Resource]
D[ODH Platform] -->|Consumes| B
D -->|Watches| C
C -->|Upon creation| D
D -->|Creates| E[Authorino AuthConfigs]
D -->|Creates| F[Istio AuthorizationPolicies]
H[ODH Component] -->|Creates instance of| C
Loading

The platform controller is deployed on the cluster automatically whenever a DSC component that indicates that it requires authorization is enabled.

From the component developer perspective:

graph TD
A[Component Developer] -->|Defines| B[ProtectedResource in ODH Operator]
subgraph ProtectedResource
B1[Schema]
B2[WorkloadSelector]
B3[HostPaths]
B4[Ports]
B --> B1
B --> B2
B --> B3
B --> B4
end
A -->|Creates instance of| C[ProtectedResource in Cluster]
C -->|Watched by| D[ODH Platform]
D -->|Creates| E[Authorization Resources]
subgraph Authorization Resources
E1[Authorino AuthConfigs]
E2[Istio AuthorizationPolicies]
E --> E1
E --> E2
end
Loading

The developer needs to define the ProtectedResource in the ODH operator in order for the ODH platform controller to watch for the resources intended to be protected. The ProtectedResource type looks like:

type ProtectedResource struct {
Schema ResourceSchema json:"schema,omitempty"
WorkloadSelector map[string]string json:"workloadSelector,omitempty"
HostPaths []string json:"hostPaths,omitempty"
Ports []string json:"ports,omitempty"
}

Where Schema is a custom type:

type ResourceSchema struct {
// GroupVersionKind specifies the group, version, and kind of the resource.
schema.GroupVersionKind `json:"gvk,omitempty"`
// Resources is the type of resource being protected, e.g., "pods", "services".
Resources string `json:"resources,omitempty"`
}