Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(controller): add generic cluster scoped resources to proxysettings #421

Merged
merged 5 commits into from
May 5, 2024
Merged

feat(controller): add generic cluster scoped resources to proxysettings #421

merged 5 commits into from
May 5, 2024

Conversation

oliverbaehler
Copy link
Collaborator

@oliverbaehler oliverbaehler commented Apr 10, 2024
edited
Loading

With this feature you can grant LIST permissions to cluster-scoped resources based on Labels. This Feature is added as FeatureGate and therefor not active on default installations of the capsule-proxy. Usage with the Flag --feature-gates=ProxyClusterScoped=true

Example

Here's an example implementation of the clusterResource settings:


---
apiVersion: capsule.clastix.io/v1beta2
kind: Tenant
metadata:
  name: solar
spec:
  owners:
  - name: alice
    kind: User

Create a namespace as alice to propagate proxySettings:

kubectl --kubeconfig hack/alice.kubeconfig create ns solar-test

Create the ProxySettings:

---
apiVersion: capsule.clastix.io/v1beta1
kind: ProxySetting
metadata:
  name: solar
  namespace: solar-test
spec:
  subjects:
  - name: alice
    kind: User
    clusterResources:
    - apiGroups:
      - kyverno.io/*
      operations:
      - "List"
      resources:
      - "*"
      selector:
        matchLabels:
          consumer: customer
    - apiGroups:
      - admissionregistration.k8s.io/v1
      resources:
      - "mutatingwebhookconfigurations"
      selector:
        matchLabels:
          consumer: tenant
    - apiGroups:
      - admissionregistration.k8s.io/v1
      resources:
      - "validatingwebhookconfigurations"

This setting allows alice to:

  • LIST all *. kyverno.io/* resources with the label-value consumer: customer
  • LIST all mutatingwebhookconfigurations.admissionregistration.k8s.io/v1 with the label-value consumer: tenant

Label some resources that they match and run some commands:

$ kubectl --kubeconfig hack/bob.kubeconfig get mutatingwebhookconfigurations.admissionregistration.k8s.io
No resources found

$ kubectl --kubeconfig hack/alice.kubeconfig get mutatingwebhookconfigurations.admissionregistration.k8s.io
NAME                                     WEBHOOKS   AGE
capsule-mutating-webhook-configuration   4          84m

 kubectl --kubeconfig hack/alice.kubeconfig get clusterPolicy
NAME                    ADMISSION   BACKGROUND   VALIDATE ACTION   READY   AGE   MESSAGE
disallow-host-process   true        true         Audit             True    46m   Ready

(No Label on any resource)
$ kubectl --kubeconfig hack/alice.kubeconfig get clustercleanuppolicies.kyverno.io
No resources found

Helm CRD lifecycle

This version also introduces a new flow how we can manage the CRDs with Helm beyond the install lifecycle. It's a simple template which renders the crds and by default keeps the crds even if the release is deleted. In the Chart README.md the entire upgrading process is documented.

This change is by default not breaking, because the current lifecycle process is not active. This way our users can opt-in and perform the required actions for the upgrade (documented in the README.md of the chart). All these changes are done with this commit:

When deleting the chart, the default behavoir is to keep the installed CRDs:

These resources were kept due to the resource policy:
[CustomResourceDefinition] proxysettings.capsule.clastix.io

release "capsule-proxy" uninstalled

Note: Should this change be accepted, I would like to introduce this cycle on the capsule helm chart as well, but with the next major release.

@oliverbaehler oliverbaehler added this to the 0.6.0 milestone Apr 10, 2024
@oliverbaehler oliverbaehler changed the title feat(controller): add generic cluster scoped resources to proxysettings WIP: feat(controller): add generic cluster scoped resources to proxysettings Apr 10, 2024
@oliverbaehler oliverbaehler changed the title WIP: feat(controller): add generic cluster scoped resources to proxysettings feat(controller): add generic cluster scoped resources to proxysettings Apr 11, 2024
@oliverbaehler oliverbaehler modified the milestones: 0.6.0, 0.7.0 Apr 11, 2024
@oliverbaehler oliverbaehler mentioned this pull request Apr 11, 2024
Closed
@oliverbaehler oliverbaehler added the enhancement New feature or request label Apr 11, 2024
@oliverbaehler oliverbaehler self-assigned this Apr 11, 2024
prometherion
prometherion approved these changes Apr 25, 2024
View reviewed changes
Copy link
Member

@prometherion prometherion left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The feature is very neat and I like it, thanks for the big efforts you're pushing in leading Capsule an the Proxy features.

I'm a bit frightened of the CRD handling, however, and CI is complaining: wondering if it's related to it.

If we can assess everything's working good, +1 from me.

@oliverbaehler oliverbaehler merged commit 303547a into projectcapsule:main May 5, 2024
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@prometherion prometherion prometherion approved these changes

Assignees

@oliverbaehler oliverbaehler

Labels
enhancement New feature or request
Projects
None yet
Milestone
0.7.0
Development

Successfully merging this pull request may close these issues.
2 participants
@oliverbaehler @prometherion