docs(rfc): add RFC-0011 multi-player support design#1980
Conversation
3713b9b to
85e9054
Compare
|
Could we rename this to RFC-0011? I'll reserve the number in our tracker 😄. |
| - **Agent orchestration.** One agent's service account creates sandboxes for | ||
| sub-agents, each getting their own sandbox principal. The parent service | ||
| account retains visibility. |
There was a problem hiding this comment.
Does the parent service account create "sub" service accounts?
There was a problem hiding this comment.
Does each sandbox have to use a unique sercice account or can it be shared, but still maintain a unique agent identity using the pod name in it's SPIFFE id for example?
|
We are missing a persona in this approach. CMIW, but the user persona as modeled sounds more like an end-user who's directly interacting with an agent in a Sandbox. OpenShell multi-user architecture should support agentic app development for app developers. It should leverage K8s rbac for access control in app namespaces. It should also decouple policy management through Gateway in such a way that app developers or app workloads (or compromised workloads) can't override certain org/platform wide security policies enforced via Gateway. I hope that makes sense. |
|
Great RFC, this fills a real gap. My comments above are coming from a Kubernetes perspective, specifically looking at how well this proposal maps to the operator discussion in #1719. I'm not suggesting the gateway should copy the Kubernetes multi-tenancy model for Docker, VM, or bare-metal drivers. But for Kubernetes deployments, we should be careful about which existing platform concepts we can reuse (namespaces, RBAC, Secret management, admission control) so that the integration feels native to operators and platform teams already running that ecosystem. Both proposed Kubernetes modes (managed and operator) map OpenShell namespaces (or "workspaces") to K8s namespaces. The difference is who provisions the namespace (gateway in managed mode, external tooling in operator mode), not the conceptual relationship. In both cases, providers can reference credentials managed by the cluster's secret infrastructure (external-secrets-operator, Vault). The gateway keeps its own workspace model, roles, and credential scoping for non-K8s drivers where none of that exists. That said, there's an impedance mismatch worth checking. K8s RBAC maps well to control plane operations: who can create/delete So in practice, K8s RBAC covers "who can deploy what" (platform admins install the operator, team leads manage CRs in their namespace), while the gateway's auth model from this RFC covers "who can do what at runtime" (exec, relay, session sharing). Both are needed, with clear boundaries. One thing worth considering on phasing: if the operator (#1719) is being designed in parallel, operator mode (Phase 3) is the simpler starting point for Kubernetes (no ClusterRole for namespace create/delete, no naming conventions, no race conditions). It might make sense to design these together rather than sequentially. |
a9a578b to
158abf2
Compare
|
For AI Fatory at NVIDIA, the requirements are as follows:
I believe this proposal covers them all at a high level, but please correct it if anything is missing. |
|
@dhirajsb this proposal covers your requested items, but some items would need to be handled post this rfc. I will discuss in more detail in community call, but here is a quick summary.
|
| mandatory access control prevents processes in one namespace from reading | ||
| files, secrets, or process state belonging to another. | ||
|
|
||
| **Sandbox escape threat model.** Container breakout is the dominant concern in |
There was a problem hiding this comment.
Should we mention VMs/kata as another layer of protection here?
| variable. The explicit `--workspace` flag takes precedence over the environment | ||
| variable. | ||
|
|
||
| ```shell |
There was a problem hiding this comment.
CLI to switch current active workspace could be considered.
0ecd5ea to
42f502e
Compare
|
|
||
| A future extension could allow sharing a sandbox with a principal who is not a | ||
| member of the workspace. The motivating use case: a platform team runs a | ||
| "shared-tools" workspace containing sandboxes with internal services (a test |
There was a problem hiding this comment.
I don't think internal services like a database or a mock API would be in a sandbox. Those would just be in another namespace, and the agent sandboxes would need to be configured such that they had network access to those services.
Maybe there's some other use case for shared-tools, but these don't seem to be valid use cases.
There was a problem hiding this comment.
A shared sandboxed agent for pair programming or tightly collaborating with the same agent instance makes more sense to me.
There was a problem hiding this comment.
yeah, makes sense. i read this as a sandbox that had a client with credentials to speak to the database, not the literal database, unless it was like sqlite or something. i can tweak.
| Every resource belongs to exactly one workspace. A `default` workspace exists | ||
| for single-player backwards compatibility. Workspace creation is admin-only: | ||
| Platform Admins create workspaces and assign Workspace Admins. Self-service | ||
| workspace creation can be added later as a gateway configuration option. |
There was a problem hiding this comment.
I was looking for this line as I was thinking about something @drew asked in a community call. If you have a workspace with 2 sandboxes, one of which you would like to share while keeping the other private you will need a second workspace, which will require an admin to create for you.
e6e1da5 to
1e6cd08
Compare
Signed-off-by: Derek Carr <decarr@redhat.com>
1e6cd08 to
7d26c03
Compare
Summary
This RFC introduces multi-player support for OpenShell by adding workspaces as hard isolation boundaries, expanding the role model to three user roles (Platform Admin, Workspace Admin, User), and
introducing workspace-scoped access control. Machine workloads authenticate via OIDC workload identity using the same multi-provider OIDC mechanism as human users, with no stored API keys or secrets. The
Sandbox Supervisor is clarified as a separate principal type with sandbox-scoped JWT authentication, distinct from the user role model. The Kubernetes compute driver gains two workspace mapping modes —
managed (default), which creates gateway-scoped Kubernetes namespaces (openshell-{gateway-id}-{workspace-name}), and operator mode for 1:1 passthrough to pre-existing namespaces. A three-tier policy
layering model replaces the current mutual-exclusion approach. Audit trail attribution follows the Kubernetes pattern — events are emitted as structured OCSF JSONL and forwarded to external SIEM systems
rather than queried through a gateway API. The design preserves backwards compatibility for single-player deployments via a
defaultworkspace.Related Issue
#1977
Changes
defaultworkspace for backwards compatibilityworkspace membership maps OIDC subjects to workspace access
#[rpc_auth]macro withworkspace_roleandglobal_roleattributes, aWorkspaceScopedtrait on request messages, and a singleauthorize_workspace()call per handler
openshell-{gateway-id}-{workspace-name}with DNS-1123 validation) and operator (1:1 name passthrough to pre-existing K8snamespaces)
gateway-wide deny rules override allows at any tier
(object_type, name)to(object_type, workspace, name)with backfill todefaultworkspaceTesting
mise run pre-commitpassesChecklist