Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Improve GitOps user experience #608

Open
maxgio92 opened this issue Jul 20, 2022 · 1 comment
Open

Improve GitOps user experience #608

maxgio92 opened this issue Jul 20, 2022 · 1 comment
Assignees
Labels
blocked-needs-validation Issue need triage and validation

Comments

@maxgio92
Copy link
Collaborator

maxgio92 commented Jul 20, 2022

This is a draft of the proposal.

Describe the feature

It would be useful to let Capsule set all the needed RBAC and identities for a machine Tenant Owner, that would be responsible of reconciling Tenant resources.

What would the new user story look like?

As a platform/admin user, I want to provide tenant users the ability to declare their resources and let a GitOps Kubernetes operator reconcile them from Git, with an unprivileged identity.

Expected behavior

RBAC

By using a knob (e.g. spec.gitopsReady=true) the admin user could request that the Tenant would be prepared to have:

  • Tenant Owner as ServiceAccount, to be used by GitOps operators and placed into a dedicated Namespace ("Tenant Owner Home")
  • necessary (Cluster)Roles bound, in order to patch, work with custom resources inside the Tenant (admin ClusterRole is not enough, cluster-admin is needed)
  • (optional) ClusterRole bound in order to impersonate himself (e.g. needed on Flux use case
  • (optional) Secret with generated kubeconfig to let the Tenant Owner SA communicate over Capsule Proxy

I'm going to refine this propsal with more detail and the rationale behind it.

Client config for Proxy

For each robot Tenant Owner (i.e. ServiceAccount type) a Secret containing kubeconfig to configure a client to communicate as Tenant Owner through the Capsule Proxy.

Related issues

@maxgio92 maxgio92 added the blocked-needs-validation Issue need triage and validation label Jul 20, 2022
@maxgio92 maxgio92 self-assigned this Jul 26, 2022
@maxgio92
Copy link
Collaborator Author

maxgio92 commented Aug 17, 2022

We won't do #631 , as discussed with @prometherion.

Capsule as a framework

Instead, in order to keep Capsule a framework for soft multi-tenancy, we'd provide an additional and dedicated addon to manage RBAC as an adapter for GitOps environments.

This is still more appropriate when RBAC is related to impersonation, which is now, leveraged by a GitOps operator(s) in particular.

cluster-admin

One another detail is to avoid the usage/binding of the cluster-admin ClusterRole even though it would be attached to Tenant's Namespaces only. Insted, it would be better to provide a tailored ClusterRole, like a "powered" admin ClusterRole.

GitOps RBAC manager as a Capsule Addon

The addon could manage all RBAC-related stuff to adapt the Capsule-managed RBAC for Tenant owners for GitOps environments - typically the owners might be machine users.

This might include the configuration needed to make the Tenant owners as GitOps reconciler indentities communicate over the Capsule Proxy.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
blocked-needs-validation Issue need triage and validation
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant