docs(rfc): add RFC-0011 multi-player support design#1980
Conversation
3713b9b to
85e9054
Compare
|
Could we rename this to RFC-0011? I'll reserve the number in our tracker 😄. |
| - **Agent orchestration.** One agent's service account creates sandboxes for | ||
| sub-agents, each getting their own sandbox principal. The parent service | ||
| account retains visibility. |
There was a problem hiding this comment.
Does the parent service account create "sub" service accounts?
There was a problem hiding this comment.
Does each sandbox have to use a unique sercice account or can it be shared, but still maintain a unique agent identity using the pod name in it's SPIFFE id for example?
|
We are missing a persona in this approach. CMIW, but the user persona as modeled sounds more like an end-user who's directly interacting with an agent in a Sandbox. OpenShell multi-user architecture should support agentic app development for app developers. It should leverage K8s rbac for access control in app namespaces. It should also decouple policy management through Gateway in such a way that app developers or app workloads (or compromised workloads) can't override certain org/platform wide security policies enforced via Gateway. I hope that makes sense. |
|
Great RFC, this fills a real gap. My comments above are coming from a Kubernetes perspective, specifically looking at how well this proposal maps to the operator discussion in #1719. I'm not suggesting the gateway should copy the Kubernetes multi-tenancy model for Docker, VM, or bare-metal drivers. But for Kubernetes deployments, we should be careful about which existing platform concepts we can reuse (namespaces, RBAC, Secret management, admission control) so that the integration feels native to operators and platform teams already running that ecosystem. Both proposed Kubernetes modes (managed and operator) map OpenShell namespaces (or "workspaces") to K8s namespaces. The difference is who provisions the namespace (gateway in managed mode, external tooling in operator mode), not the conceptual relationship. In both cases, providers can reference credentials managed by the cluster's secret infrastructure (external-secrets-operator, Vault). The gateway keeps its own workspace model, roles, and credential scoping for non-K8s drivers where none of that exists. That said, there's an impedance mismatch worth checking. K8s RBAC maps well to control plane operations: who can create/delete So in practice, K8s RBAC covers "who can deploy what" (platform admins install the operator, team leads manage CRs in their namespace), while the gateway's auth model from this RFC covers "who can do what at runtime" (exec, relay, session sharing). Both are needed, with clear boundaries. One thing worth considering on phasing: if the operator (#1719) is being designed in parallel, operator mode (Phase 3) is the simpler starting point for Kubernetes (no ClusterRole for namespace create/delete, no naming conventions, no race conditions). It might make sense to design these together rather than sequentially. |
7c1718a to
a9a578b
Compare
Signed-off-by: Derek Carr <decarr@redhat.com>
a9a578b to
158abf2
Compare
|
For AI Fatory at NVIDIA, the requirements are as follows:
I believe this proposal covers them all at a high level, but please correct it if anything is missing. |
|
@dhirajsb this proposal covers your requested items, but some items would need to be handled post this rfc. I will discuss in more detail in community call, but here is a quick summary.
|
Summary
This RFC introduces multi-player support for OpenShell by adding workspaces as hard isolation boundaries, expanding the role model to six roles (Platform Admin, Workspace Admin, Auditor, User, Service
Account, Sandbox Supervisor), and introducing workspace-scoped access control. The Kubernetes compute driver gains two workspace mapping modes — managed (default), which creates gateway-scoped Kubernetes
namespaces (openshell-{gateway-id}-{workspace-name}), and operator mode for 1:1 passthrough to pre-existing namespaces. A three-tier policy layering model replaces the current mutual-exclusion approach.
The design preserves backwards compatibility for single-player deployments via a
defaultworkspace.Related Issue
#1977
Changes
defaultworkspace for backwards compatibilitycreated_byonObjectMetafor attribution, not access controlopenshell-{gateway-id}-{workspace-name}) and operator (1:1 name passthrough to pre-existing K8s namespaces)ApiActivityevents on every mutating gRPC callTesting
mise run pre-commitpassesChecklist