Endpoint Access Control

3 min read

Orkestra exposes a live HTTP API for every CRD in a Katalog. Two independent controls let you restrict who can see what:

ControlScopeWhat it restricts
endpoints:CRDWhich HTTP paths the runtime registers
crossAccess:CRD or KatalogWhether sibling operators can read this CRD via cross:

They are independent. crossAccess: false does not disable HTTP endpoints. endpoints: enabled: false does not prevent cross reads. Use both together for a CRD that is completely invisible to all consumers.


endpoints: — controlling HTTP visibility

Disable one endpoint

spec:
  crds:
    payment:
      endpoints:
        health: false

/katalog/payment/health returns 404. All other endpoints remain registered. Use when health details — consecutive fails, last error, uptime — are sensitive but you still want metrics and CR state accessible from dashboards.

info: false disables /katalog/payment (the config and metrics endpoint) while leaving health up.

Disable all endpoints

spec:
  crds:
    credential:
      endpoints:
        enabled: false

The runtime does not register any per-CRD paths for credential. /katalog/credential, /katalog/credential/health, and /katalog/credential/cr all return 404. The CRD still appears in the top-level /katalog summary count — it is counted but not drillable.

The reconciler runs normally. Nothing about enabled: false affects reconciliation, workers, or queue behaviour.

What always remains

Regardless of endpoints: settings, the top-level /katalog endpoint always includes the CRD in its summary count. There is no way to make a CRD invisible to the top-level listing except by disabling the CRD — only its per-CRD paths can be suppressed.


crossAccess: — controlling cross-operator reads

crossAccess controls whether other Katalogs can read this CRD’s CR state via the cross: block — in-binary or cross-binary via ONCOP.

At the CRD level

spec:
  crds:
    keyrotation:
      crossAccess: false

Any cross: reference that targets keyrotation resolves to empty. No error is raised in the reading operator — the read silently returns nothing.

At the Katalog level

crossAccess: false

spec:
  crds:
    payment:
      ...
    ledger:
      crossAccess: true   # overrides the Katalog default for this CRD only
      ...

crossAccess: false at the Katalog level closes all CRDs in that Katalog by default. Individual CRDs can override back to true.


Combining both — fully dark

spec:
  crds:
    keyrotation:
      crossAccess: false
      endpoints:
        enabled: false

keyrotation is now invisible to every consumer:

  • Sibling operators using cross: receive empty results
  • HTTP clients hitting /katalog/keyrotation receive 404
  • The Control Center cannot drill into it — no health badge, no CR list
  • It still appears in the top-level /katalog count

The operator reconciles silently. Other CRDs in the same Katalog are unaffected.


When to use each

SituationRecommendation
Health details are business-sensitive but dashboards need metricsendpoints: health: false
Operator must be completely opaque to HTTP consumersendpoints: enabled: false
Operator manages secrets or keys — no sibling should read its CR statecrossAccess: false
Maximum isolation — credentials, key management, audit trailscrossAccess: false + endpoints: enabled: false


Try it

ork init --pack advanced/19-endpoint-control
# Follow the README examples

Further Reading

  • Endpoint reference — full list of per-CRD HTTP paths
  • ONCOP — cross-binary observation protocol that crossAccess gates