Open
Description
Context
The kuberneter-graphql-gateway is particularly useful for building user experiences on top of KRM API's. In Kubernetes RBAC users are either allowed to watch/list all resources in given namespace or listing is not granted at all.
In reality it is often very useful to be able to "list all that i have access to". Lets explore how we can enable this case also considering the performance implications.
Considerations
- On Kubernetes native implementations one option could be to use a higher privileged user to list all resources and then to execute subjetaccessreviews on individual resources for a given user.
- It would be great to find a solution that works with pure RBAC, but also in a webhook mode, without any assumptions what authz webhooks are in place.
- A plan b could be that this is a feature restricted to a configuration that includes a FGA system like openFGA.