mutlitenancy where one team creates ephemeral namespaces

[tibberg]

I'm about to convert our current setup (see #1148) to a multi-tenant configuration. We now have two teams using fluxv2, team A is using a single namespace, but the other team (team B) creates namespaces on the fly for review purproses (right now they create the dynamic namespace in a gitlab pipeline, and then commit the new HelmRelease with targetNamespace attribute to the flux git repo in the same pipeline).

The team A can be easily converted to the multi-tenant setup.

But I don't see how to convert the team B setup to multi-tenancy. As far as I understand I need to specify the team-to-namespace association in advance. But I would like to grant all-namespace rights (except a few well-known namespaces) to team B. However I have a feeling that the whole process should be refactored, and I should use a different approach.

Can you suggest me which direction I should look?

Thank you.

[yebyen]

The quick search I did indicates that this is not possible with RBAC currently.

kubernetes/kubernetes#85963

There is no "everything except" or "deny rule" in RBAC. I was going to suggest some kind of string matching wildcard like in this issue: kubernetes/kubernetes#56582 (comment) but there is also no way to accomplish that, from some quick searching and what I can tell; eg. teamB can have access across any namespaces "teamB-*" -- looks like this idea was rejected
because an access grant for bob to namespace bob-* would overlap with a grant for user bob-tables

(And oh my isn't that a clever example...)

If you want to make self-service namespaces, then it looks like you have to use a tool like loft-sh/kiosk which checks for an existing namespace and lets you create it, with role binding assignments made based on a model built around labeling and ownership.