security-operator assumes a single-shard kcp. In internal/client/all_platformmesh.go#L40 only the first URL of the core.platform-mesh.io APIExportEndpointSlice is used, so it will miss any resource whose workspace is hosted on another shard.
Observed impact:
On a multi-shard platform-mesh (e.g. when platform-mesh-operator provisions multiple kcp shards), the Store reconciler's authorizationModelSubroutine cannot see AuthorizationModel CRs created in workspaces on multiple shards. The composite OpenFGA model published for the store ends up missing those types, and rebac-authz-webhook subsequently denies reads with:
type '_' not found — surfacing as 403s through the GraphQL gateway.
Since platform-mesh-operator already supports multi-shard kcp and I didn't find an existing tracking issue, filing this as a feature request.
security-operator assumes a single-shard kcp. In internal/client/all_platformmesh.go#L40 only the first URL of the core.platform-mesh.io APIExportEndpointSlice is used, so it will miss any resource whose workspace is hosted on another shard.
Observed impact:
On a multi-shard platform-mesh (e.g. when platform-mesh-operator provisions multiple kcp shards), the Store reconciler's authorizationModelSubroutine cannot see AuthorizationModel CRs created in workspaces on multiple shards. The composite OpenFGA model published for the store ends up missing those types, and rebac-authz-webhook subsequently denies reads with:
type '_' not found — surfacing as 403s through the GraphQL gateway.
Since platform-mesh-operator already supports multi-shard kcp and I didn't find an existing tracking issue, filing this as a feature request.