Clouds now support ACLs


#1

With the recent addition of support for GKE clusters, we now have a situation whereby many users can potentially add their own personal Kubernetes clusters to a Juju controller. So we now need a way to ensure that only users with permission to do so can add models to a cloud/cluster.

When a Kubernetes cluster is added (as a cloud), the owner has admin permission straight away. They can then grant add-model permission (or admin permission) to another user:

juju grant-cloud bob add-model myk8scloud

You can grant permission to many clouds at the same time:

juju grant-cloud bob add-model myk8scloud anotherk8scloud

The syntax here is the same as for the standard juju grant command. And there’s also the corresponding juju revoke-cloud command.

Note that previously the add-model permission was granted to the controller. Although the old syntax is supported, it it translated to grant add-model permission to the controller cloud itself. Thus the controller cloud and any added Kubernetes clusters are treated the same way in terms of how add-model access is granted and revoked.