Mirrors
/
flux2
mirror of https://github.com/fluxcd/flux2.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
dependabot/go_modules/helm.sh/helm/v3-3.18.5
main
dependabot/github_actions/ci-4e448727d0
rfc-external-artifact
release/v2.6.x
conform-k8s-1.33
release/v2.5.x
release/v2.4.x
remove-notation-validation
release/v2.3.x
release/v2.2.x
RFC
fix-commit-log
flux-audit
release/v2.1.x
context-ns
ksm-dashboard
rfc-passwordless-git-auth
release/v2.0.x
rfc-gating
release/v0.27.4
rfc-0003
rfc-0002
rfc-0001
prompt-for-tokens
encrypt-init-cmd
v2.6.4
v2.6.3
v2.6.2
v2.6.1
v2.6.0
v2.5.1
v2.5.0
v2.4.0
v2.3.0
v2.2.3
v2.2.2
v2.2.1
v2.2.0
v2.1.2
v2.1.1
v2.1.0
v2.0.1
v2.0.0
v2.0.0-rc.5
v2.0.0-rc.4
v2.0.0-rc.3
v2.0.0-rc.2
v2.0.0-rc.1
v0.41.2
v0.40.0
v0.39.0
v0.38.2
v0.38.1
v0.38.0
v0.37.0
v0.36.0
v0.35.0
v0.34.0
v0.33.0
v0.32.0
v0.31.3
v0.31.2
v0.31.1
v0.31.0
v0.30.1
v0.28.2
v0.27.2
v0.27.1
v0.27.0
v0.26.3
v0.26.2
v0.26.1
v0.26.0
v0.25.3
v0.0.1
v0.0.1-alpha.1
v0.0.1-beta.1
v0.0.1-beta.2
v0.0.1-beta.3
v0.0.1-beta.4
v0.0.10
v0.0.11
v0.0.12
v0.0.13
v0.0.14
v0.0.15
v0.0.16
v0.0.17
v0.0.18
v0.0.19
v0.0.2
v0.0.20
v0.0.21
v0.0.22
v0.0.23
v0.0.24
v0.0.25
v0.0.26
v0.0.27
v0.0.28
v0.0.3
v0.0.4
v0.0.5
v0.0.6
v0.0.7
v0.0.8
v0.0.9
v0.1.0
v0.1.1
v0.1.2
v0.1.3
v0.1.4
v0.1.5
v0.1.6
v0.1.7
v0.1.8
v0.10.0
v0.11.0
v0.12.0
v0.12.1
v0.12.2
v0.12.3
v0.13.0
v0.13.1
v0.13.2
v0.13.3
v0.13.4
v0.14.0
v0.14.1
v0.14.2
v0.15.0
v0.15.1
v0.15.2
v0.15.3
v0.16.0
v0.16.1
v0.16.2
v0.17.0
v0.17.1
v0.17.2
v0.18.0
v0.18.1
v0.18.2
v0.18.3
v0.19.0
v0.19.1
v0.2.0
v0.2.1
v0.2.2
v0.2.3
v0.2.4
v0.2.5
v0.2.6
v0.20.0
v0.20.1
v0.21.0
v0.21.1
v0.22.0
v0.22.1
v0.23.0
v0.24.0
v0.24.1
v0.25.0
v0.25.1
v0.25.2
v0.27.3
v0.27.4
v0.28.0
v0.28.1
v0.28.3
v0.28.4
v0.28.5
v0.29.0
v0.29.1
v0.29.2
v0.29.3
v0.29.4
v0.29.5
v0.3.0
v0.30.0
v0.30.2
v0.31.4
v0.31.5
v0.38.3
v0.4.0
v0.4.1
v0.4.2
v0.4.3
v0.40.1
v0.40.2
v0.41.0
v0.41.1
v0.5.0
v0.5.1
v0.5.2
v0.5.3
v0.5.4
v0.5.5
v0.5.6
v0.5.7
v0.5.8
v0.5.9
v0.6.0
v0.6.1
v0.6.2
v0.6.3
v0.7.0
v0.7.1
v0.7.2
v0.7.3
v0.7.4
v0.7.5
v0.7.6
v0.7.7
v0.8.0
v0.8.1
v0.8.2
v0.9.0
v0.9.1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '6772ca519f'
${ noResults }
flux2/rfcs/RFC-0012-wildcard-namespace.../README.md

5.2 KiB
Raw Blame History Unescape Escape

RFC-0012 Namespace Wildcard Alert Support

Status: provisional

Creation date: 2025-06-29

Last update: 2025-06-29

Summary

Enable Alert.spec.eventSources[].namespace: "*" in the FluxCD Notification Controller behind a dedicated feature gate (--enable-namespace-wildcard-events) while preserving the global kill-switch (--no-cross-namespace-refs) for multi-tenant isolation. This provides cluster-wide alert configuration with minimal operator effort and no additional surface area for secret leakage.

Motivation

Fluxs Notification Controller today requires one Alert per namespace or explicit namespace lists, making cluster-wide error monitoring laborious and brittle. A user-land PR #504 to allow wildcard namespaces has been on hold pending a formal RFC, and issue #71 has long requested this enhancement. Meanwhile, multi-tenant operators rely on --no-cross-namespace-refs=true to enforce strict per-namespace boundaries.

Goals

  • Operator Convenience: Support a single Alert watching all namespaces via namespace: "*" without templating per-namespace resources.
  • Opt-in Safety: Gate wildcard support behind --enable-namespace-wildcard-events (default off).
  • Global Kill-Switch: Honor --no-cross-namespace-refs=true to disable wildcard (and all cross-namespace refs) when set.
  • Minimal Surface Area: No new CRD types or cross-namespace secret reads.

Non-Goals

  • Introducing new CRDs (e.g., ClusterAlert).
  • Implementing complex cross-namespace authorization (e.g., ReferenceGrant).
  • Allowing Provider references across namespaces.

Proposal

  1. New Feature Flag

    • Introduce --enable-namespace-wildcard-events (boolean; default false).
    • When true, controllers accept literal "*" in Alert.spec.eventSources[].namespace.
    • When false, any "*" is rejected during validation with an explicit error.

  2. Interaction with --no-cross-namespace-refs

    • --no-cross-namespace-refs=true remains the global kill-switch: if set, wildcard is rejected regardless of the new flag.

  3. CRD Validation

    • Update the Alert CRD schema (spec.eventSources[].namespace) to allow "*" only if --enable-namespace-wildcard-events=true.
    • Webhook returns: 
      spec.eventSources[i].namespace: '*' is not allowed; enable via --enable-namespace-wildcard-events
      or, if --no-cross-namespace-refs=true: 
      spec.eventSources[i].namespace: '*' is disallowed by --no-cross-namespace-refs

  4. RBAC Requirements

    • To monitor all namespaces, the controllers ServiceAccount must have list,watch on Flux source CRs (e.g., GitRepository, HelmRelease) cluster-wide.
    • In tenant-isolated installs where the SA lacks these permissions, wildcard support is effectively inert.

  5. Secret Access Boundary

    • Providers continue to reference secrets in their own namespace; no cross-namespace secret reads are introduced by wildcard alerts.

User Stories

  • Cluster Operator

    As a cluster operator, I want to define a single Alert in flux-system that picks up all HelmRelease failures across every namespace so that I dont need to manage per-namespace Alert CRDs.

  • Multi-Tenant Admin

    As a multi-tenant platform admin, I want to ensure that no tenant can enable wildcard alerts unless I explicitly allow it, and I want a single flag (--no-cross-namespace-refs=true) to disable all cross-namespace features.

Alternatives

  • ReferenceGrant-Gated Wildcard: Leverage Kubernetes ReferenceGrant API for explicit per-namespace grants (rejected due to KEP-3766 closure).
  • Namespace Label Selector: Use spec.namespaceSelector to select labeled namespaces (requires cluster-wide label management).
  • Namespace Regex Matching: Permit regex patterns in place of exact namespace names (error-prone and overly broad).
  • ClusterAlert CRD: Introduce a cluster-scoped Alert type (adds new API surface).
  • ResourceSet Templating: Use Flux ResourceSet to generate per-namespace Alerts (still creates multiple CRs).

Design Details

  • CLI Changes: Add --enable-namespace-wildcard-events to controller options alongside existing flags like --no-cross-namespace-refs.
  • Validation Webhook: Enforce schema constraint on namespace field based on feature gates.
  • Controller Logic:
    • On reconciliation, if wildcard is enabled and not globally disabled, list/watch across all namespaces.
    • Otherwise, restrict to the Alerts own namespace.
  • Documentation: Update Flux Notification Controller Options and the Alerts guide to include wildcard examples and flag semantics.

Implementation History

  • 2025-06-29: Draft RFC-0012 created.
  • TBD: Feature implementation, tests, docs.
  • TBD: Community review and merge into flux2/rfcs.