How do we describe and require compound authorization requests?

[luxas]

Category

Other

Describe the feature you'd like to request

It is fairly common to require compound authorization today in Kubernetes e.g. through an admission webhook performing a SubjectAccessReview to the API server, or by using the authorizer variable in ValidatingAdmissionPolicies.

A couple of examples:

• CSR sign and approve: require the user to be able to approve "signers" resource in apiGroup "certificates.k8s.io" with name "<signer>"
• ownerReference update authorization (especially if blocking): require delete on the updated object, and/or delete on the owner, if the ownerRef is blocking.
• when updating RBAC rules themselves, a user can update them if they have the escalate or bind verbs attached.

There's probably lots of more examples like this.

Describe alternatives you've considered

Additional context

No response

Is this something that you'd be interested in working on?

• 👋 I may be able to implement this feature request
• ⚠️ This feature might incur a breaking change