{"id":16857005,"url":"https://github.com/robscott/referencegrant-poc","last_synced_at":"2025-04-05T10:43:45.851Z","repository":{"id":215187134,"uuid":"736088131","full_name":"robscott/referencegrant-poc","owner":"robscott","description":"POC for ReferenceGrant in sig-auth","archived":false,"fork":false,"pushed_at":"2024-02-23T11:07:00.000Z","size":69,"stargazers_count":2,"open_issues_count":1,"forks_count":0,"subscribers_count":4,"default_branch":"main","last_synced_at":"2025-02-10T21:38:48.004Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/robscott.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-12-27T00:41:22.000Z","updated_at":"2024-01-22T19:13:51.000Z","dependencies_parsed_at":null,"dependency_job_id":"54952d51-c7b4-40f4-b997-15ec6a7a6c09","html_url":"https://github.com/robscott/referencegrant-poc","commit_stats":null,"previous_names":["robscott/referencegrant-poc"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/robscott%2Freferencegrant-poc","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/robscott%2Freferencegrant-poc/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/robscott%2Freferencegrant-poc/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/robscott%2Freferencegrant-poc/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/robscott","download_url":"https://codeload.github.com/robscott/referencegrant-poc/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247325648,"owners_count":20920713,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-10-13T14:06:21.392Z","updated_at":"2025-04-05T10:43:45.829Z","avatar_url":"https://github.com/robscott.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# ReferenceGrant POC\n\nThis project is a proof of concept meant to show the viability of the next\ngeneration of ReferenceGrant. As a POC, this project provides absolutely no\nstability, and should never be used in a production environment. If this ever\nbecomes production ready, it will do so exclusively within a kubernetes or\nkubernetes-sigs repo.\n\n## High Level Goals\n\n* Show how ReferenceGrant could become part of kubernetes/kubernetes via\n  sig-auth.\n* Enable ReferenceGrant to be used more generically, defining the specific\n  reference paths that should be followed.\n* Provide a means of authorizing controllers to only access the resources that\n  are directly referenced by resources they are implementing. (For example, a\n  Gateway controller should only be reading from the secrets referenced by a\n  Gateway).\n* Provide the foundation for a backfill that could be used to provide similar\n  functionality in earlier Kubernetes versions.\n\n## Context\n\nWith SIG-Storage adopting ReferenceGrant for [cross-namespace storage data\nsources](https://kubernetes.io/blog/2023/01/02/cross-namespace-data-sources-alpha/),\nit became important for us to transition ReferenceGrant to a more neutral home.\nThis project explores what a transition to a more generic, auth-first approach\ncould look like.\n\nThis has been a point of discussion at previous KubeCons, resulting in both a\n[KEP](https://github.com/kubernetes/enhancements/issues/3766) and a [more recent\ndoc](https://docs.google.com/document/d/1poQb0uxOkJsebNgTMrpaogcY9vcehGHe1myqvenCXtU/edit)\nshowing how this could all work.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frobscott%2Freferencegrant-poc","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Frobscott%2Freferencegrant-poc","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frobscott%2Freferencegrant-poc/lists"}