Cross Namespace Event Links

Flag name: cross-namespace-event-links

Stage: Alpha, disabled by default

Tracking issue: #7530

Overview

This feature enables triggers and subscriptions (event links) to refer to a broker or channel in a different namespace. Without this feature, the trigger or subscription must be in the same namespace as the broker or channel.

RBAC

To ensure that users can only subscribe to events from a broker or channel in a separate namespace when they are allowed to, this feature introduces a new RBAC verb knsubscribe which a user must have to create a trigger or subscription referencing a broker or channel in another namespace. An example of a role with the correct verb can be seen below:

  1. apiVersion: rbac.authorization.k8s.io/v1
  2. kind: Role
  3. metadata:
  4.   name: example-cross-namespace-role
  5.   namespace: ns-1
  6. rules:
  7.   - apiGroups:
  8.       - "eventing.knative.dev"
  9.     resources:
  10.       - brokers
  11.     verbs:
  12.       - knsubscribe

This role will give users the ability to create triggers referring to a broker in namespace ns-1 in every namespace they have the ability to create triggers.