Multi-Tenancy Strategies #263
Replies: 4 comments 15 replies
-
After having this explained to me at length (thanks Stefan!), I think there's a simpler design possible. To recap, the problem to be solved is how to set things safely up so a tenant can create their own
i.e., the fleet config delegates app syncing to the tenant, by syncing a tenant repo containing definitions of GitRepository and Kustomization objects for the app repos. Since you don't want to give tenant's any access to the system namespace, you can't let them create syncs there. You could create the delegating sync in the tenant namespace; however this means it's accessible to the tenant. Ideally you would want the delegating sync to live inside the system namespace, while anything defined within the tenant repo to be confined to the tenant namespace. The solution given in the original post is that impersonation of service accounts can be switched off for tenants -- and when it's switched off, a user outside of the control of the tenant is impersonated instead. This has some downsides:
The multi-tenancy mode isn't strictly required -- if the tenant is restricted to creating syncs in their namespace(s), they can't impersonate a service account outside it. To achieve this, you have to have a service account (in the system namespace) for the delegating sync, that has the restricted permissions. Then the problem becomes this much simpler one: service accounts are costly at startup time, because crypto, so you don't really want to have to create one per tenant. A design which doesn't introduce another controller mode is: let syncs specify a user to impersonate. Then the delegating syncs can refer to a user with restricted permissions for the tenant namespace, rather than having to have a service account created for them. App syncs can try to impersonate a service account or user, or leave it to the default -- they won't be able to access outside the namespace they are in. |
Beta Was this translation helpful? Give feedback.
-
Service account impersonation has been implemented for HelmReleases: fluxcd/helm-controller#157 |
Beta Was this translation helpful? Give feedback.
-
Another point that was brought up to me by a colleague of mine was the potential for DOSing resources that aren't present in your namespace by setting up a webhook receiver referencing resources in a namespace you don't have permissions to access, triggering continuous reconciliation on resources you don't own. I'm not sure if the docs are consistent on this point as it relates to the current state of the source code, but as it stands in the docs, this also seems to be a multi-tenancy hole. |
Beta Was this translation helpful? Give feedback.
-
I've written up #582 which proposes changes inspired by these strategies. We could probably add an entire section based on @stefanprodan's cluster owner and tenant workflows using the Please give it a look when you have a moment! |
Beta Was this translation helpful? Give feedback.
-
Personas
Platform Admin
GitRepository
andKustomization
Tenant
GitRepositories
andKustomizations
HelmRepositories
andHelmReleases
Current solution
See https://github.com/fluxcd/flux2-multi-tenancy
Proposal
A tenant should be able to add sources with
GitRepository
,HelmRepository
andBucket
objects in their namespaces and define how those sources are reconciled on the cluster withKustomization
andHelmRelease
objects.Platform admins should be able to make use of Kubernetes RBAC and restrict the reconciliation scope of a tenant's
Kustomizations
andHelmReleases
.Defining tenants
Platform admins can define tenants by creating namespaces, RBAC and role bindings in the Git repository bootstrapped with
flux
.Tenant with full access to a namespace:
When a
Kustomization
orHelmRelease
is being reconciled in theweb-team
namespace, it will run under thegotk:web-team:reconciler
user that's restricted to theweb-team
namespace only.A cluster admin can extend the tenant access to be able to create custom resource definitions or any other cluster wide object:
Configuring multi-tenancy
Cluster admins can enable multi-tenancy isolation when installing or upgrading flux.
When a
Kustomization
orHelmRelease
is being reconciled in a namespace other than the namespace where flux is installed, the reconciliation will run under thegotk:<NAMESPACE>:reconciler
user. If the user doesn't exists or if the objects being reconciled don't belong to that namespace, the reconcilers will not be able to apply the tenant's sources on the cluster.The cluster admins can provision tenants with
flux create tenant
, the command generates a namespace and role binding definition that grants the reconcilers full access to that namespace and that namespace only.Cluster admin workflow:
Dev team workflow:
Beta Was this translation helpful? Give feedback.
All reactions