-
Notifications
You must be signed in to change notification settings - Fork 162
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Document how Capsule integrates in a Flux GitOps based environment #528
Comments
Comment for Assignment |
Thanks @oliverbaehler really appreciate. |
Hey @bsctl I was working exactly on the same use case here.
Tenant self-service reconciliationTL;DR: The tenant owner needs permission to More details on #582 - I recommend reading it. Enter Capsule ProxyI see that this use case is perfect for Capsule Proxy. In this way, the tenant resource control and isolation would happen on a step before during the request process as the request would be proxied instead of being validated. Then, Capsule Proxy would provide the tenant-scoped view of cluster-scoped resources, to the Tenant Owner. From this point on, the Tenant Owner would be safe to Also, no further complexity would be introduced. Flux + Capsule + Capsule ProxyIn a nutshell, the Kustomize reconciler in order to reconcile the desired state of the tenant - which would be ideally declared and versioned on Git by the tenant owner itself - would impersonate the Tenant Owner SA user and communicate to the Capsule Proxy to also operate on cluster-scoped resources (e.g. Namespace-as-a-service) - and nothing more! The tenant can configure it through the For example, a
would declare its
where the capsule-proxy The missing pieceAs of now, on this idea the missing piece is the kubeConfig
WIP/cc @prometherion |
Yeah that's what our current setup looks like. We have shell-operator in place which dumps kubeconfigs from serviceaccounts into secrets which access the capsule proxy's internal url. We could add something like that to the capsule proxy. You will still need to get around, since you implement a huge security exploit when just allowing patch privileges #582 |
TL;DR what is missing in this scenario is:
About FluxIn the end we should be able to apply also Flux's multi-tenancy lockdown features:
except for:
|
Hi @maxgio92, I have tried the approach to allow Flux within tenants, meaning that cross references within namespaces in the same tenant are such which are marked as public, are allowed. But we don't have the time to maintain such policies over time and we are also moving towards argo, so i guess we won't need them anymore (They weren't used in production yet). Maybe it's something usefu. See the following policies: helmrelease.policy.yaml
kustomization.policy.yaml
global.config.yaml
|
Thank you @oliverbaehler ! |
Could we make this optional right now and use the Kyverno policies shared by @oliverbaehler so we can close this with the docs update? |
@prometherion If we want to propose these i would take some time to harden them and verify that they are working as expect, not that we create a security leak. My intention was to share reconciler resources which are common (eg. bitnami helm repository is in a public namespace). But I don't know if I am still a fan of this idea, since these policies rely on api calls which decrease cluster performance (API Requests) |
It depends on the time since I'd like to publish the v0.1.2 before the next community call, expected in 2 weeks. Do you think that's feasible according to your availability?
I'm missing the context here, could you elaborate a bit more? |
@prometherion TL;DR without point Point @oliverbaehler I'm going to test the PoC with the new Keep you posted. |
I wrote down these test definitions:
|
TL;DR The last two points can be achieved without policies, instead enabling also the default SA impersonation-feature of Flux MultiTenancy Lockdown. Moreover, with this approach we remove the dependency of a further policy engine. |
Update: all the points are achieved. Even though not-so-elegant, the Tenant GitOps Reconciler communicates to the Capsule Proxy impersonating himself (
For this reason the impersonation support has been introduced into Capsule Proxy (see projectcapsule/capsule-proxy#215). I'm going to prepare a documentation for this scenario and propose some automations that could improve the UX for these GitOps-managed multi-tenancy scenarios. |
@maxgio92 Are these tests automated in e2e? |
@bsctl no, I'm not sure it would make so much sense as they wouldn't test Capsule but a use case integration with an external project. |
@maxgio92 you're right, my bad. |
Hey @oliverbaehler, we released the guide for this scenario https://capsule.clastix.io/docs/guides/flux2-capsule 🥳 If you want to take a look and you notice some improvement, correction, please let me know :-) In any case, thank you a lot for the value you put on this! 🙏🏻 |
Describe the feature
Document how Capsule integrates in a Flux GitOps based environment.
What would the new user story look like?
The cluster admin can learn how to configure a Flux GitOps based environment with Capsule
Expected behaviour
A detailed user guide is provided into documentation.
The text was updated successfully, but these errors were encountered: