Improve GitOps user experience

[maxgio92]

This is a draft of the proposal.

Describe the feature

It would be useful to let Capsule set all the needed RBAC and identities for a machine Tenant Owner, that would be responsible of reconciling Tenant resources.

What would the new user story look like?

As a platform/admin user, I want to provide tenant users the ability to declare their resources and let a GitOps Kubernetes operator reconcile them from Git, with an unprivileged identity.

Expected behavior

RBAC

By using a knob (e.g. spec.gitopsReady=true) the admin user could request that the Tenant would be prepared to have:

• Tenant Owner as ServiceAccount, to be used by GitOps operators and placed into a dedicated Namespace ("Tenant Owner Home")
• necessary (Cluster)Roles bound, in order to patch, work with custom resources inside the Tenant (admin ClusterRole is not enough, cluster-admin is needed)
• (optional) ClusterRole bound in order to impersonate himself (e.g. needed on Flux use case
• (optional) Secret with generated kubeconfig to let the Tenant Owner SA communicate over Capsule Proxy

I'm going to refine this propsal with more detail and the rationale behind it.

Client config for Proxy

For each robot Tenant Owner (i.e. ServiceAccount type) a Secret containing kubeconfig to configure a client to communicate as Tenant Owner through the Capsule Proxy.

Related issues

• Document how Capsule integrates in a Flux GitOps based environment #528

[maxgio92]

We won't do #631 , as discussed with @prometherion.

Capsule as a framework

Instead, in order to keep Capsule a framework for soft multi-tenancy, we'd provide an additional and dedicated addon to manage RBAC as an adapter for GitOps environments.

This is still more appropriate when RBAC is related to impersonation, which is now, leveraged by a GitOps operator(s) in particular.

cluster-admin

One another detail is to avoid the usage/binding of the cluster-admin ClusterRole even though it would be attached to Tenant's Namespaces only. Insted, it would be better to provide a tailored ClusterRole, like a "powered" admin ClusterRole.

GitOps RBAC manager as a Capsule Addon

The addon could manage all RBAC-related stuff to adapt the Capsule-managed RBAC for Tenant owners for GitOps environments - typically the owners might be machine users.

This might include the configuration needed to make the Tenant owners as GitOps reconciler indentities communicate over the Capsule Proxy.

[github-actions]

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 30 days.