feature: Allow accessing workspace content through terminating virtualworkspace

[SimonTheLeg]

This is a follow-up issue to #3615

When we initially designed terminating virtual workspace, we wanted it to feel like the initializing workspace does. Among others, this includes having the ability to access objects inside the workspace directly through the virtual workspace.

The problem is that we cannot implement this easily using the same mechanism. For reference: initializers use the experimental.tenancy.kcp.io/owner annotation on a logicalcluster to obtain UserInfo on the owner of the cluster and their groups. Afterwards it uses a special token and the UserInfo to impersonate the owner of the workspace/logicalcluster when making any requests

kcp/pkg/virtual/initializingworkspaces/builder/build.go

Lines 241 to 263 in 459fa3b

	rawInfo, ok := logicalCluster.Annotations[tenancyv1alpha1.ExperimentalWorkspaceOwnerAnnotationKey]
	if !ok {
	http.Error(writer, fmt.Sprintf("LogicalCluster %s|%s had no user recorded", cluster, corev1alpha1.LogicalClusterName), http.StatusInternalServerError)
	return
	}
	var info authenticationv1.UserInfo
	if err := json.Unmarshal([]byte(rawInfo), &info); err != nil {
	http.Error(writer, fmt.Sprintf("could not unmarshal user info for cluster %q: %v", cluster, err), http.StatusInternalServerError)
	return
	}
	extra := map[string][]string{}
	for k, v := range info.Extra {
	extra[k] = v
	}
	thisCfg := rest.CopyConfig(cfg)
	thisCfg.Impersonate = rest.ImpersonationConfig{
	UserName: info.Username,
	UID: info.UID,
	Groups: info.Groups,
	Extra: extra,
	}
	authenticatingTransport, err := rest.TransportFor(thisCfg)

This works for initializers, but unfortunately, we wipe the group information when a workspace hits its ready state

kcp/pkg/reconciler/core/logicalcluster/logicalcluster_reconcile_metadata.go

Line 108 in 593e6e6

} else if userOnlyValue, err := json.Marshal(authenticationv1.UserInfo{Username: info.Username}); err != nil {

Without this information a proxy in the finalizer is not able to obtain the groups of the owner and cannot do the impersonation.

To consider when building solutions
While it is possible for us to remove the group information wiping, it would still not be backwards compatible. For workspaces/logicalclusters created before kcp with this functionality was installed, the information would still be lost. We need to take this into consideration when designing this functionality or choose to accept this risk.

Or alternatively we re-vamp the access mechanism completely for both initializing and terminating workspaces.