support namespace labeling for tenant owners #407
Comments
|
Can consider |
Yes :) |
|
Maybe we should use |
prometherion
added
enhancement
|
What do you guys think about adding a Regex Option? I bootstrap certain namespaces with a helm wrapper. And I don't want users to mess with my lifecycle hooks or really anything helm related. So I would need the option to deny any label starting with |
|
@prometherion i think we can use existing |
|
I thought the same, @MaxFedotov! |
|
Great, i can start this after my vacation (be back home at September 12th) |
|
Just ran into this when using capsule with argocd. ArgoCD wants to add an annotation and a label to the namespace it is creating. We are adding an "ownerReference" to the namesapce as well to allow capsule to "adopt" the namespace after argocd creates it. Unfortunately, capsule then removes the argo annoations and labels and that causes the two controllers to start to fight over the namespace. Having this sounds like it would allow us to whitelist the annotations and labels that argocd added and let capsule maintain them. |
|
Thanks for this additional use case, @awoodsprim. Definitely, we're going to support this feature on |
|
@awoodsprim i think i can propose a more interesting schema with argocd (i am planning to implement in on our production after my vacation). Starting from v1beta1 capsule allows to add multiple owners for tenants, including service accounts. So it will be possible to add argocd service account as an additional owner to each tenant by default, thus allowing it to create namespaces as a usual tenant user (and it won't be required to set onwerReference manually). And don't forget to add it to userGroups in capsuleConfiguration crd. |
|
@MaxFedotov - With the two tenant owners, creation of a namespace can be done with annotations on the namespace? I only ask because at the moment annotations added manually thorough kubectl are stripped by capsule as per this ticket. Therefore, having argocd as a tenant owner will solve the "adoption" issue, but not the annotation / label one (I think) |
|
@awoodsprim thats depends on how you create a namespace. If you create it using yaml file with ns spec - than you can add annotations/labels to it. If you are using auto-create namespace option - than you had to wait until this proposal will be implemented :) |
|
after discussion with @prometherion decided to add additional apiVersion: capsule.clastix.io/v1beta1
kind: Tenant
metadata:
name: oil
spec:
owners:
- name: alice
kind: User
namespaceOptions:
userLabels:
allowed:
- myorg.net/foo
allowedRegex: ^\w+-lb$
protected:
- protected.net/bar
userAnnotations:
allowed:
- myorg.net/foo
allowedRegex: ^\w+-lb$
protected:
- protected.net/bar |
|
After another discussion with @prometherion decided to use annotations for now (and later when planning new So with the release of this feature, capsule will allow If
When new |
Current capsule and capsule-proxy implementations deny namespace labeling for tenant owners. The background for this decision was that there are a number of labels, which can lead to different security issues when they are added to a namespace (for example, they can allow to bypass Network Policies).
While this is true, sometimes tenant owners need to have and ability to add some well-known labels defined by their environment. For example, this can be different integrations with 3rd party systems (monitoring, configuration management) where we need to match some business applications with Kubernetes namespaces using some predefined and established set of labels.
So to support these cases and not to compromise overall security I propose adding additional
allowedLabelslist tonamespaceOptionsfield intenantSpec, where cluster-administrator can provide a list of labels, that tenant owners can modify viacapsule-proxyThis will require an additional webhook for namespaces, where we allow modification of only allowed labels for a namespace.
@bsctl, @prometherion WDYT?
The text was updated successfully, but these errors were encountered: