Add --no-cross-namespace-ref to implementation history

Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>

go.mod

@@ -14,8 +14,9 @@ require (
 	github.com/fluxcd/notification-controller/api v0.21.0
 	github.com/fluxcd/pkg/apis/kustomize v0.3.1 // indirect
 	github.com/fluxcd/pkg/apis/meta v0.10.2
+	github.com/fluxcd/pkg/kustomize v0.0.2
 	github.com/fluxcd/pkg/runtime v0.12.4
-	github.com/fluxcd/pkg/ssa v0.11.0
+	github.com/fluxcd/pkg/ssa v0.12.0
 	github.com/fluxcd/pkg/ssh v0.3.1
 	github.com/fluxcd/pkg/untar v0.0.5
 	github.com/fluxcd/pkg/version v0.0.1
@@ -45,12 +46,8 @@ require (
 	sigs.k8s.io/cli-utils v0.27.0
 	sigs.k8s.io/controller-runtime v0.11.0
 	sigs.k8s.io/kustomize/api v0.10.1
-	sigs.k8s.io/yaml v1.3.0
-)
-
-require (
-	github.com/fluxcd/pkg/kustomize v0.0.2
 	sigs.k8s.io/kustomize/kyaml v0.13.0
+	sigs.k8s.io/yaml v1.3.0
 )
 
 require (

go.sum

@@ -245,8 +245,8 @@ github.com/fluxcd/pkg/kustomize v0.0.2/go.mod h1:AFwnf3OqQmpTCuwCARTGpPRMBf0ZFJN
 github.com/fluxcd/pkg/runtime v0.12.3/go.mod h1:imJ2xYy/d4PbSinX2IefmZk+iS2c1P5fY0js8mCE4SM=
 github.com/fluxcd/pkg/runtime v0.12.4 h1:gA27RG/+adN2/7Qe03PB46Iwmye/MusPCpuS4zQ2fW0=
 github.com/fluxcd/pkg/runtime v0.12.4/go.mod h1:gspNvhAqodZgSmK1ZhMtvARBf/NGAlxmaZaIOHkJYsc=
-github.com/fluxcd/pkg/ssa v0.11.0 h1:ejEMlHPsbXMP8BJQx3+0PwoBgJur0mHiPcMNKcFwoOE=
-github.com/fluxcd/pkg/ssa v0.11.0/go.mod h1:S+qig7BTOxop0c134y8Yv8/iQST4Kt7S2xXiFkP4VMA=
+github.com/fluxcd/pkg/ssa v0.12.0 h1:7nF4UigU9Zk/9P/nbzUP3ah8IRC+BpB64O9iu5VnvEo=
+github.com/fluxcd/pkg/ssa v0.12.0/go.mod h1:S+qig7BTOxop0c134y8Yv8/iQST4Kt7S2xXiFkP4VMA=
 github.com/fluxcd/pkg/ssh v0.3.1 h1:iQw07bkX2rScactX8WYv+uMDsufFOlg8M3fV2TNs244=
 github.com/fluxcd/pkg/ssh v0.3.1/go.mod h1:Sebfv4Um51PvomuYdMvKRncQW5dtKhZ5J5TA+wiHNSQ=
 github.com/fluxcd/pkg/untar v0.0.5 h1:UGI3Ch1UIEIaqQvMicmImL1s9npQa64DJ/ozqHKB7gk=

rfcs/0002-source-acl/README.md

@@ -0,0 +1,181 @@
+# RFC-0002 Access control for source references
+
+**Status:** provisional
+
+**Creation date:** 2021-11-16
+
+**Last update:** 2022-02-03
+
+## Summary
+
+Cross-namespace references to Flux sources should be subject to
+Access Control Lists (ACLs) as defined by the owner of a particular source.
+
+Similar to [Kubernetes Network Policies](https://kubernetes.io/docs/concepts/services-networking/network-policies/),
+Flux ACLs define policies for restricting the access to the source artifact server based on the
+caller's namespace.
+
+## Motivation
+
+As of [version 0.26](https://github.com/fluxcd/flux2/releases/tag/v0.26.0) (Feb 2022),
+Flux allows for `Kustomizations`, `HelmReleases` and `ImageUpdateAutomations` to reference sources in different namespaces.
+On multi-tenant clusters, platform admins can disable this behaviour with the `--no-cross-namespace-refs` flag
+as described in the [multi-tenancy lockdown documentation](https://fluxcd.io/docs/installation/#multi-tenancy-lockdown).
+
+This proposal tries to solve the "cross-namespace references side-step namespace isolation" issue (explained in
+[RFC-0001](https://github.com/fluxcd/flux2/tree/main/rfcs/0001-authorization#cross-namespace-references-side-step-namespace-isolation))
+for when platform admins want to allow tenants to share sources.
+
+### Goals
+
+- Allow source owners to choose which sources are shared and with which namespaces.
+- Allow cluster admins to enforce source ACLs.
+
+### Non-Goals
+
+- Enforce source ACLs by default. 
+
+## Proposal
+
+Extend the current Image Policy/Repository ACL implementation to all the others Flux resources
+as described in [flux2#1704](https://github.com/fluxcd/flux2/issues/1704).
+
+When a Flux resource (`Kustomization`, `HelmRelease` or `ImageUpdateAutomation`)
+refers to a source (`GitRepository`, `HelmRepository` or `Bucket`) in a different namespace,
+access is granted based on the source ACL.
+
+The ACL check is performed only if `--enable-source-acl` flag is set to `true` for the following controllers:
+
+- kustomize-controller
+- helm-controller
+- image-automation-controller
+
+### User Stories
+
+#### Story 1
+
+> As a cluster admin, I want to share Helm Repositories approved by the platform team with all tenants.
+
+If the owner of a Flux `HelmRepository` wants to grant access to the repository for all namespaces in a cluster,
+an empty `matchLabels` can be used:
+
+```yaml
+apiVersion: source.toolkit.fluxcd.io/v1beta1
+kind: HelmRepository
+metadata:
+  name: bitnami
+  namespace: flux-system
+spec:
+  url: https://charts.bitnami.com/bitnami
+  accessFrom:
+    namespaceSelectors:
+      - matchLabels: {}
+```
+
+If the `accessFrom` field is not present and `--enable-source-acl` is set to `true`,
+means that a source can't be accessed from any other namespace but the one where it currently resides.
+
+#### Story 2
+
+> As a tenant, I want to share my app repository with another tenant
+> so that they can deploy the application in their own namespace.
+
+If `dev-team1` wants to grant read access to their repository to `dev-team2`,
+a `matchLabels` that selects the namespace owned by `dev-team2` can be used:
+
+```yaml
+apiVersion: source.toolkit.fluxcd.io/v1beta1
+kind: GitRepository
+metadata:
+  name: app1
+  namespace: dev-team1
+spec:
+  url: ssh://git@github.com/<org>/app1-deploy
+  secretRef:
+    name: app1-ro-ssh-key
+  accessFrom:
+    namespaceSelectors:
+      - matchLabels:
+          kubernetes.io/metadata.name: dev-team2
+```
+
+#### Story 3
+
+> As a cluster admin, I want to let tenants configure image automation in their namespaces by
+> referring to a Git repository managed by the platform team.
+
+If the owner of a Flux `GitRepository` wants to grant write access to `ImageUpdateAutomations` in a different namespace,
+a `matchLabels` that selects the image automation namespace can be used:
+
+```yaml
+apiVersion: source.toolkit.fluxcd.io/v1beta1
+kind: GitRepository
+metadata:
+  name: cluster-config
+  namespace: flux-system
+spec:
+  url: ssh://git@github.com/<org>/cluster-config
+  secretRef:
+    name: read-write-ssh-key
+  accessFrom:
+    namespaceSelectors:
+      - matchLabels:
+          kubernetes.io/metadata.name: dev-team1
+```
+
+The `dev-team1` can refer to the `cluster-config` repository in their image automation config:
+
+```yaml
+apiVersion: image.toolkit.fluxcd.io/v1beta1
+kind: ImageUpdateAutomation
+metadata:
+  name: app1
+  namespace: dev-team1
+spec:
+  sourceRef:
+    kind: GitRepository
+    name: cluster-config
+    namespace: flux-system
+```
+
+### Alternatives
+
+#### Admission controllers
+
+An alternative solution to source ACLs is to use an admission controller such as Kyverno or OPA Gatekeeper
+and allow/disallow cross-namespace access to specific source.
+
+The current proposal offers the same feature but without the need to manage yet another controller to guard
+sources.
+
+#### Kubernetes RBAC
+
+Another alternative is to rely on impersonation and create a `ClusterRoleBinding` per named source and tenant account
+as described in [fluxcd/flux2#582](https://github.com/fluxcd/flux2/pull/582). 
+
+The current proposal is more flexible than RBAC and implies less work for Flux users. ALCs act more like
+Kubernetes Network Policies where access is defined based on labels, with RBAC every time a namespace is added,
+the platform admins have to create new RBAC rules to target that namespace.
+
+#### Source reflection CRD
+
+Yet another alternative is to introduce a new API kind `SourceReflection` as described in
+[fluxcd/flux2#582-821027543](https://github.com/fluxcd/flux2/pull/582#issuecomment-821027543).
+
+The current proposal allows the owner to define the access control list on the source object, instead
+of creating objects in namespaces where it has no control over.
+
+#### Remove cross-namespace refs
+
+An alternative is to simply remove cross-namespace references from the Flux API.
+
+This would break with current behavior, and users would have to make substantial changes to their
+repository structure and workflow. In cases where e.g. a resource is common (across many namespaces),
+this would mean the source-controller would use way more memory and network bandwidth that grows with
+each namespace that uses the same Git or Helm repository due to the requirement of having to duplicate
+"common" resources.
+
+## Implementation History
+
+- ACL support for allowing cross-namespace access to `ImageRepositories` was first released in flux2 **v0.23.0**.
+- Disabling cross-namespace access to sources was first released in flux2 **v0.26.0**.

tests/azure/go.mod

@@ -4,14 +4,14 @@ go 1.17
 
 require (
 	github.com/Azure/azure-event-hubs-go/v3 v3.3.13
-	github.com/fluxcd/helm-controller/api v0.15.0
-	github.com/fluxcd/image-automation-controller/api v0.19.0
-	github.com/fluxcd/image-reflector-controller/api v0.15.0
-	github.com/fluxcd/kustomize-controller/api v0.19.1
-	github.com/fluxcd/notification-controller/api v0.20.1
+	github.com/fluxcd/helm-controller/api v0.16.0
+	github.com/fluxcd/image-automation-controller/api v0.20.0
+	github.com/fluxcd/image-reflector-controller/api v0.16.0
+	github.com/fluxcd/kustomize-controller/api v0.20.0
+	github.com/fluxcd/notification-controller/api v0.21.0
 	github.com/fluxcd/pkg/apis/meta v0.10.2
-	github.com/fluxcd/pkg/runtime v0.12.3
-	github.com/fluxcd/source-controller/api v0.20.1
+	github.com/fluxcd/pkg/runtime v0.12.4
+	github.com/fluxcd/source-controller/api v0.21.1
 	github.com/hashicorp/terraform-exec v0.14.0
 	github.com/libgit2/git2go/v31 v31.6.1
 	github.com/microsoft/azure-devops-go-api/azuredevops v1.0.0-b5

tests/azure/go.sum

@@ -198,26 +198,28 @@ github.com/evanphx/json-patch v4.12.0+incompatible h1:4onqiflcdA9EOZ4RxV643DvftH
 github.com/evanphx/json-patch v4.12.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
 github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
 github.com/felixge/httpsnoop v1.0.1/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
-github.com/fluxcd/helm-controller/api v0.15.0 h1:1uei4JWf5cOEbixj8d5mZ3EMruuarR8yCSiPIsaotKo=
-github.com/fluxcd/helm-controller/api v0.15.0/go.mod h1:/OeNzk18BVa7UmhGphENJdD/2GerKpMeDSxY8QYlO0o=
-github.com/fluxcd/image-automation-controller/api v0.19.0 h1:XR2yBR3RxB6i1mS6ZpqgbEnuV23s9q4JfkyKLyOTViU=
-github.com/fluxcd/image-automation-controller/api v0.19.0/go.mod h1:e9hAvFZT5y1X6NaSNUHXkabpMkPA3Z1bDr3yea8gMzE=
-github.com/fluxcd/image-reflector-controller/api v0.15.0 h1:2XUKXLhWjbS7X8k1Ur/LJaIv2C8kbpErB46yw4Xmf4U=
-github.com/fluxcd/image-reflector-controller/api v0.15.0/go.mod h1:SPUqO4kodOglDFpZ+GhW/XBhKo71mWIqFRc+oT0jCfc=
-github.com/fluxcd/kustomize-controller/api v0.19.1 h1:71E9/7WNQN7aNVhTvfweyOEPwOLVnohAhcR0qMnA67g=
-github.com/fluxcd/kustomize-controller/api v0.19.1/go.mod h1:q0AA6fxVlm8fvXZEaqSMMw8ANPharpywBve7dlcARhk=
-github.com/fluxcd/notification-controller/api v0.20.1 h1:iK1+icG0ESuSUki6O9tL/4uxPx6eymYwaFxGprlKSQA=
-github.com/fluxcd/notification-controller/api v0.20.1/go.mod h1:YFW/YQ6kScEzpnuKgvOJWak+9zGyF3FJ73kKsSQ4LDk=
+github.com/fluxcd/helm-controller/api v0.16.0 h1:VXlt0EZVHgz2ZX1kUuKQAaQWNj1cC3PIKMRR/0aq07g=
+github.com/fluxcd/helm-controller/api v0.16.0/go.mod h1:/OeNzk18BVa7UmhGphENJdD/2GerKpMeDSxY8QYlO0o=
+github.com/fluxcd/image-automation-controller/api v0.20.0 h1:Z+lxqif0KwccsuNOBZq5M96RXCPxtm4Xt8siC1kR6H8=
+github.com/fluxcd/image-automation-controller/api v0.20.0/go.mod h1:XhLYccGUbmJvTTpJ1jAFKZHr2e1GNXy0T85ZBO50mik=
+github.com/fluxcd/image-reflector-controller/api v0.16.0 h1:1O1YdoK7LsJgWLyvfZTSbvQcUQCBcgJ573HA0arlQQY=
+github.com/fluxcd/image-reflector-controller/api v0.16.0/go.mod h1:OIe3mSXc3OwQiNbiQ9vNXWYtNif31hc7WAbZWlFUUnc=
+github.com/fluxcd/kustomize-controller/api v0.20.0 h1:Vw+2qCxeHMv0y1mfiBgVrMfcfFevBMrRfLEdfPTrb40=
+github.com/fluxcd/kustomize-controller/api v0.20.0/go.mod h1:5MdpzJVx8+KiDIRv37zLme992BAOCgE0v1n+NOgs1lo=
+github.com/fluxcd/notification-controller/api v0.21.0 h1:D5B3TH5YtSww0SyvW1Ru5xWsh0MgHQanC/a1t3CvXq0=
+github.com/fluxcd/notification-controller/api v0.21.0/go.mod h1:gA9/j0kjh7VDuUC2Cubr9twxOdzb/0+ojcE9Lzsc9ug=
 github.com/fluxcd/pkg/apis/acl v0.0.3 h1:Lw0ZHdpnO4G7Zy9KjrzwwBmDZQuy4qEjaU/RvA6k1lc=
 github.com/fluxcd/pkg/apis/acl v0.0.3/go.mod h1:XPts6lRJ9C9fIF9xVWofmQwftvhY25n1ps7W9xw0XLU=
 github.com/fluxcd/pkg/apis/kustomize v0.3.1 h1:wmb5D9e1+Rr3/5O3235ERuj+h2VKUArVfYYk68QKP+w=
 github.com/fluxcd/pkg/apis/kustomize v0.3.1/go.mod h1:k2HSRd68UwgNmOYBPOd6WbX6a2MH2X/Jeh7e3s3PFPc=
 github.com/fluxcd/pkg/apis/meta v0.10.2 h1:pnDBBEvfs4HaKiVAYgz+e/AQ8dLvcgmVfSeBroZ/KKI=
 github.com/fluxcd/pkg/apis/meta v0.10.2/go.mod h1:KQ2er9xa6koy7uoPMZjIjNudB5p4tXs+w0GO6fRcy7I=
-github.com/fluxcd/pkg/runtime v0.12.3 h1:h21AZ3YG5MAP7DxFF9hfKrP+vFzys2L7CkUbPFjbP/0=
 github.com/fluxcd/pkg/runtime v0.12.3/go.mod h1:imJ2xYy/d4PbSinX2IefmZk+iS2c1P5fY0js8mCE4SM=
-github.com/fluxcd/source-controller/api v0.20.1 h1:BfYw1gNHykiCVFNtDz3atcf3Vph+arfuveKmouI98wE=
-github.com/fluxcd/source-controller/api v0.20.1/go.mod h1:Ab2qDmAUz6ZCp8UaHYLYzxyFrC1FQqEqjxiROb/Rdiw=
+github.com/fluxcd/pkg/runtime v0.12.4 h1:gA27RG/+adN2/7Qe03PB46Iwmye/MusPCpuS4zQ2fW0=
+github.com/fluxcd/pkg/runtime v0.12.4/go.mod h1:gspNvhAqodZgSmK1ZhMtvARBf/NGAlxmaZaIOHkJYsc=
+github.com/fluxcd/source-controller/api v0.21.0/go.mod h1:Ab2qDmAUz6ZCp8UaHYLYzxyFrC1FQqEqjxiROb/Rdiw=
+github.com/fluxcd/source-controller/api v0.21.1 h1:7X39YQHmB1vmIBrHxU+YAqxwtdC9Zh+tdtMKREW3xiQ=
+github.com/fluxcd/source-controller/api v0.21.1/go.mod h1:Ab2qDmAUz6ZCp8UaHYLYzxyFrC1FQqEqjxiROb/Rdiw=
 github.com/flynn/go-shlex v0.0.0-20150515145356-3f9db97f8568/go.mod h1:xEzjJPgXI435gkrCt3MPfRiAkVrwSbHsst4LCFVfpJc=
 github.com/form3tech-oss/jwt-go v3.2.2+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k=
 github.com/form3tech-oss/jwt-go v3.2.3+incompatible h1:7ZaBxOI7TMoYBfyA3cQHErNNyAWIKUMIwqxEtgHOs5c=