feature: allow RBAC bootstrapping for user identities in `Kubeconfigs`

[embik]

Feature Description

Bootstrapping a new kcp instance with kcp-operator is still a bit of a frustrating experience, because you can create Kubeconfig objects, but unless they encode a privileged group like system:masters, the resulting kubeconfig is unable to access kcp.

We should allow bootstrapping basic ClusterRoleBindings into a target workspace (mostly root, I suppose) for identities managed by Kubeconfigs so that you can gain access to the kcp instance and go from there (e.g. wire it up to a git repository holding all your authZ configuration).

Proposed Solution

Extend the Kubeconfig CRD. It could look like this:

spec:
  authorization:
    clusterRoleBindings:
      workspacePath: "root"
      clusterRoles:
        - "cluster-admin"

workspacePath is the target workspace (identified by colon-separated path) and clusterRoles is the list of target ClusterRoles in the workspace that ClusterRoleBindings should be created for.

Alternative Solutions

No response

Want to contribute?

• I would like to work on this issue.

Additional Context

No response

[xrstf]

What should happen if a kubeconfig is deleted? Should the bindings also be removed?

[embik]

Ideally, I would say yes.

[xrstf]

Work on this is currently paused due to other responsibilities. We got "stuck" because the cleanup routine for this newly created RBAC requires us to remember somewhere in what workspace the kcp-operator has provisioned stuff (think of someone editing a Kubeconfig object and just removing the auth section -- how would the operator know where to clean up?). @embik and me decided that in our threat model it's acceptable to store the workspace in the Kubeconfig's status. If the admin decides to muck up their Kubeconfig objects, it's on them.

Work on this will resume probably in October 2025. It's not much left over, basically only this "remember workspace in status" stuff.