Skip to content

Commit

Permalink
docs: forbidden node labels and annotations
Browse files Browse the repository at this point in the history
  • Loading branch information
Maksim Fedotov committed Oct 28, 2021
1 parent f2746fb commit 49189f6
Show file tree
Hide file tree
Showing 4 changed files with 37 additions and 8 deletions.
5 changes: 1 addition & 4 deletions docs/operator/use-cases/deny-wildcard-hostnames.md
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,4 @@ EOF
Doing this, Alice will not be able to use `oil.bigorg.com`, being the tenant-owner of `gas`.

# What’s next

This ends our tour in Capsule use cases. As we improve Capsule, more use cases about multi-tenancy, policy admission control, and cluster governance will be covered in the future.

Stay tuned!
See how Bill, the cluster admin can protect specific labels and annotations on Nodes from modifications by Tenant Owners. [Denying specific user-defined labels or annotations on Nodes](./node-labels-and-annotations.md).
6 changes: 3 additions & 3 deletions docs/operator/use-cases/namespace-labels-and-annotations.md
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# Denying user-defined labels or annotations
# Denying specific user-defined labels or annotations on Namespaces

By default, capsule allows tenant owners to add and modify any label or annotation on their namespaces.

Expand All @@ -13,9 +13,9 @@ kind: Tenant
metadata:
name: oil
annotations:
capsule.clastix.io/forbidden-namespace-labels: foo.acme.net, bar.acme.net
capsule.clastix.io/forbidden-namespace-labels: foo.acme.net,bar.acme.net
capsule.clastix.io/forbidden-namespace-labels-regexp: .*.acme.net
capsule.clastix.io/forbidden-namespace-annotations: foo.acme.net, bar.acme.net
capsule.clastix.io/forbidden-namespace-annotations: foo.acme.net,bar.acme.net
capsule.clastix.io/forbidden-namespace-annotations-regexp: .*.acme.net
spec:
owners:
Expand Down
32 changes: 32 additions & 0 deletions docs/operator/use-cases/node-labels-and-annotations.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
# Denying specific user-defined labels or annotations on Nodes

When using `capsule` together with [capsule-proxy](https://github.com/clastix/capsule-proxy), Bill can allow Tenant Owners to [modify Nodes](../../proxy/overview.md).

By default, it will allow tenant owners to add and modify any label or annotation on their nodes.

But there are some scenarios, when tenant owners should not have an ability to add or modify specific labels or annotations (there are some types of labels or annotations, which must be protected from modifications - for example, which are set by `cloud-providers` or `autoscalers`).

Bill, the cluster admin, can deny Tenant Owners to add or modify specific labels and annotations on Nodes:

```yaml
kubectl apply -f - << EOF
apiVersion: capsule.clastix.io/v1alpha1
kind: CapsuleConfiguration
metadata:
name: default
annotations:
capsule.clastix.io/forbidden-node-labels: foo.acme.net,bar.acme.net
capsule.clastix.io/forbidden-node-labels-regexp: .*.acme.net
capsule.clastix.io/forbidden-node-annotations: foo.acme.net,bar.acme.net
capsule.clastix.io/forbidden-node-annotations-regexp: .*.acme.net
spec:
userGroups:
- capsule.clastix.io
- system:serviceaccounts:default
EOF
```
# What’s next

This ends our tour in Capsule use cases. As we improve Capsule, more use cases about multi-tenancy, policy admission control, and cluster governance will be covered in the future.

Stay tuned!
2 changes: 1 addition & 1 deletion docs/operator/use-cases/taint-services.md
Original file line number Diff line number Diff line change
Expand Up @@ -25,4 +25,4 @@ EOF
When Alice creates a service in a namespace, this will inherit the given label and/or annotation.

# What’s next
See how Bill, the cluster admin, can allow Alice to use specific labels or annotations. [Allow adding labels and annotations on namespaces](./namespace-labels-and-annotations.md).
See how Bill, the cluster admin, can protect specific labels and annotations on Namespaces from modifications by Alice. [Denying specific user-defined labels or annotations on Namespaces](./namespace-labels-and-annotations.md).

0 comments on commit 49189f6

Please sign in to comment.