Skip to content
This repository has been archived by the owner on Mar 24, 2022. It is now read-only.
/ k8s-rbac-proxy Public archive

Kubernetes RBAC Proxy to scope controllers to multiple namespaces

License

Apache-2.0 license
5 stars 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

vmware-archive/k8s-rbac-proxy

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
cmd
cmd
 
 
config
config
 
 
docs
docs
 
 
examples/etcd-operator
examples/etcd-operator
 
 
hack
hack
 
 
out
out
 
 
proxy
proxy
 
 
test/e2e
test/e2e
 
 
vendor
vendor
 
 
.gitignore
.gitignore
 
 
CODE_OF_CONDUCT.md
CODE_OF_CONDUCT.md
 
 
CONTRIBUTING.md
CONTRIBUTING.md
 
 
Dockerfile
Dockerfile
 
 
Gopkg.lock
Gopkg.lock
 
 
Gopkg.toml
Gopkg.toml
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

Kubernetes RBAC Proxy

Objective

to isolate controller effects to one or more namespaces

  • pro: allows to decouple number of controllers from number of namespaces managed by these controllers
  • pro: avoids duplication of namespace configuration in rbac and controller configs
  • pro: works with controllers that cannot be modified or do not support namespacing out of the box
  • con: ideally would be implemented in kubernetes api server
  • con: proxying overhead?
  • con: controller configuration has to be modified to redirect api requests (via env variable)

Architecture

+-------------------------+             +-------+             +----------------------------+
| controller (downstream) | --- TLS --> | proxy | --- TLS --> | kube api-server (upstream) |
+-------------------------+             +-------+             +----------------------------+
  • both controller and proxy would typically run inside the cluster
  • TLS certs are issued through Kubernetes CA

Alternative solutions

Docs

To install see ./hack/deploy.sh.

Use cases

TODO

  • list: implement limit & continue token support
  • list: implement list's revisionVersion support
  • deletecollection

Previously Seen Errors

Do let's know if you run into them.

build-controller-ff68c9946-ftgnr > build-controller | W0115 01:22:22.955946       1 reflector.go:341] github.com/knative/build/pkg/client/informers/externalversions/factory.go:114: watch of *v1alpha1.Build ended with: very short watch: github.com/knative/build/pkg/client/informers/externalversions/factory.go:114: Unexpected watch close - watch lasted less than a second and no items received

build-controller-ff68c9946-ftgnr > build-controller | W0115 01:22:50.191934       1 reflector.go:341] github.com/knative/build/vendor/github.com/knative/caching/pkg/client/informers/externalversions/factory.go:117: watch of *v1alpha1.Image ended with: very short watch: github.com/knative/build/vendor/github.com/knative/caching/pkg/client/informers/externalversions/factory.go:117: Unexpected watch close - watch lasted less than a second and no items received

About

Kubernetes RBAC Proxy to scope controllers to multiple namespaces

Resources

Readme

License

Apache-2.0 license

Code of conduct

Code of conduct

Security policy

Security policy
Activity
Custom properties

Stars

5 stars

Watchers

7 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

 
 
 

Contributors 2

  •  
  •  

Languages