feature: Implement WorkspaceTree for forest workspace hierarchy #3716
Description
Feature Description
Currently, everything in the KCP build on top of the root workspace. But this exposes some of the unnesessary details to the users. In example if we use structure like bellow
root:
organizations:
org1
departament1
departament2
org2
departament1
departament2
org3
If you are part of org1, you might quess org2 structure. This is like "knowing your AWS account ID allows you to guess other people account ids" and do some guess work and try to access things.
kcp supports forest type of structure, but its not clearly exposed.
Proposed Solution
Proposal is to add new tenancy API object:
apiVersion: tenancy.kcp.io/v1alpha1
Kind: WorkspaceTree
spec:
type:
cluster:
status:
...
Which would follow closely the workspace API. But Idea is that one could request this "named WorkspaceTree
object and get its own tree assigned, which is not under root.
Example:
root:
organizations:
{WorkspaceTree/foo, WorkspaceTree/bar}
foo:
departament1
departament2
bar:
Where foo, bar` could be user-provided, or randomly generated, making the system non-guessable.
And users would see this in their kubeconfig clusters/foo:department1 or random string.
Alternative Solutions
No response
Want to contribute?
- I would like to work on this issue.
Additional Context
No response