mirror of https://github.com/fluxcd/flux2.git
Add RFC for global objects
Signed-off-by: Rafael da Fonseca <rafael.fonseca@wildlifestudios.com>pull/4612/head
Rafael da Fonseca
11 months ago
parent
2460a79026
commit
090a3e6c61
@ -0,0 +1,58 @@
|
|||||||
|
# RFC-0005 Memorandum on Flux Global Objects
|
||||||
|
|
||||||
|
## Summary
|
||||||
|
|
||||||
|
This RFC describes in detail, the need for the concept of global objects.
|
||||||
|
|
||||||
|
## Motivation
|
||||||
|
|
||||||
|
In multi-tenant environments, especially larger ones, the need for sharing objects across namespaces
|
||||||
|
increases for several reasons, including security, scalability and complexity.
|
||||||
|
|
||||||
|
### Goals
|
||||||
|
|
||||||
|
* Establish a common optional 'Global' field on objects that allows the owner to share it with every other
|
||||||
|
tenant in a cluster
|
||||||
|
* Replace 'LocalObjectReference' with 'NamespaceObjectReference' in CR refs, with the required safeguards
|
||||||
|
to ensure cross namespace refs are not used for non-'Global' objects.
|
||||||
|
|
||||||
|
### Non-Goals
|
||||||
|
|
||||||
|
- This is not intended at defining a comprehensive definition of granular authorization for objects
|
||||||
|
|
||||||
|
|
||||||
|
## Security implications
|
||||||
|
|
||||||
|
- Cluster admins (and in some cases tenants) might need to share some of the resources they manage
|
||||||
|
to other tenants in the cluster. Since many of the types of resources that flux manage are bound
|
||||||
|
to namespace local secrets (such as Providers, Gitrepositories, etc), it's not possible to share
|
||||||
|
access to one of these resources without sharing the sensitive secrets they require.
|
||||||
|
|
||||||
|
- Namespace isolation is currently available in controllers via `--no-cross-namespace-refs`, and
|
||||||
|
while disabling these by default is good for overall security, it should be possible to override
|
||||||
|
this behavior on a specific object's scope, where the owner of the object which is made globally
|
||||||
|
available is responsible for the security considerations of exposing their object to other tenants.
|
||||||
|
This flag also makes little difference to refs in many object types which right now only take in
|
||||||
|
local refs.
|
||||||
|
|
||||||
|
- No RBAC should be required for this, since normally the controllers themselves already have full
|
||||||
|
access to every object.
|
||||||
|
|
||||||
|
## Kubernetes API usage
|
||||||
|
|
||||||
|
- In large scale multi-tenant environments, not being able to share specific resources with multiple
|
||||||
|
tenants results in the need to create a (potentially) very large amount of duplicate objects with
|
||||||
|
the same information, resulting in additional unnecessary storage in Kubernetes, as well as an
|
||||||
|
increase in API calls
|
||||||
|
|
||||||
|
## Flux's authorization model
|
||||||
|
|
||||||
|
- While having a fine grained authorization model for flux objects would be ideal, the previously
|
||||||
|
discussed requirements for it (ReferenceGrant) might take a very long time to be available and
|
||||||
|
does not necessarily conflict with the concept of Global objects, which should be a simple toggle
|
||||||
|
and easier for object owners to configure without requiring a long spec.
|
||||||
|
|
||||||
|
#### Backwards compatibility
|
||||||
|
|
||||||
|
As the NamespaceObjectReference is an extension of LocalObjectReference, backward compatibility is unaffected
|
||||||
|
|
||||||
Loading…
Reference in New Issue