Mirrors
/
flux2
mirror of https://github.com/fluxcd/flux2.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
dependabot/github_actions/ci-09038c3922
update-rfc-0010
dependabot/go_modules/tests/integration/golang.org/x/net-0.38.0
main
dependabot/go_modules/tests/integration/golang.org/x/crypto-0.35.0
dependabot/go_modules/github.com/golang-jwt/jwt/v4-4.5.2
dependabot/go_modules/github.com/golang-jwt/jwt/v5-5.2.2
dependabot/go_modules/github.com/redis/go-redis/v9-9.7.3
rfc-external-artifact
release/v2.5.x
release/v2.4.x
remove-notation-validation
release/v2.3.x
rfc-flux-bootstrap-oci
release/v2.2.x
RFC
fix-commit-log
flux-audit
release/v2.1.x
context-ns
ksm-dashboard
rfc-passwordless-git-auth
release/v2.0.x
rfc-gating
release/v0.27.4
rfc-0003
rfc-0002
rfc-0001
prompt-for-tokens
encrypt-init-cmd
v2.5.1
v2.5.0
v2.4.0
v2.3.0
v2.2.3
v2.2.2
v2.2.1
v2.2.0
v2.1.2
v2.1.1
v2.1.0
v2.0.1
v2.0.0
v2.0.0-rc.5
v2.0.0-rc.4
v2.0.0-rc.3
v2.0.0-rc.2
v2.0.0-rc.1
v0.41.2
v0.40.0
v0.39.0
v0.38.2
v0.38.1
v0.38.0
v0.37.0
v0.36.0
v0.35.0
v0.34.0
v0.33.0
v0.32.0
v0.31.3
v0.31.2
v0.31.1
v0.31.0
v0.30.1
v0.28.2
v0.27.2
v0.27.1
v0.27.0
v0.26.3
v0.26.2
v0.26.1
v0.26.0
v0.25.3
v0.0.1
v0.0.1-alpha.1
v0.0.1-beta.1
v0.0.1-beta.2
v0.0.1-beta.3
v0.0.1-beta.4
v0.0.10
v0.0.11
v0.0.12
v0.0.13
v0.0.14
v0.0.15
v0.0.16
v0.0.17
v0.0.18
v0.0.19
v0.0.2
v0.0.20
v0.0.21
v0.0.22
v0.0.23
v0.0.24
v0.0.25
v0.0.26
v0.0.27
v0.0.28
v0.0.3
v0.0.4
v0.0.5
v0.0.6
v0.0.7
v0.0.8
v0.0.9
v0.1.0
v0.1.1
v0.1.2
v0.1.3
v0.1.4
v0.1.5
v0.1.6
v0.1.7
v0.1.8
v0.10.0
v0.11.0
v0.12.0
v0.12.1
v0.12.2
v0.12.3
v0.13.0
v0.13.1
v0.13.2
v0.13.3
v0.13.4
v0.14.0
v0.14.1
v0.14.2
v0.15.0
v0.15.1
v0.15.2
v0.15.3
v0.16.0
v0.16.1
v0.16.2
v0.17.0
v0.17.1
v0.17.2
v0.18.0
v0.18.1
v0.18.2
v0.18.3
v0.19.0
v0.19.1
v0.2.0
v0.2.1
v0.2.2
v0.2.3
v0.2.4
v0.2.5
v0.2.6
v0.20.0
v0.20.1
v0.21.0
v0.21.1
v0.22.0
v0.22.1
v0.23.0
v0.24.0
v0.24.1
v0.25.0
v0.25.1
v0.25.2
v0.27.3
v0.27.4
v0.28.0
v0.28.1
v0.28.3
v0.28.4
v0.28.5
v0.29.0
v0.29.1
v0.29.2
v0.29.3
v0.29.4
v0.29.5
v0.3.0
v0.30.0
v0.30.2
v0.31.4
v0.31.5
v0.38.3
v0.4.0
v0.4.1
v0.4.2
v0.4.3
v0.40.1
v0.40.2
v0.41.0
v0.41.1
v0.5.0
v0.5.1
v0.5.2
v0.5.3
v0.5.4
v0.5.5
v0.5.6
v0.5.7
v0.5.8
v0.5.9
v0.6.0
v0.6.1
v0.6.2
v0.6.3
v0.7.0
v0.7.1
v0.7.2
v0.7.3
v0.7.4
v0.7.5
v0.7.6
v0.7.7
v0.8.0
v0.8.1
v0.8.2
v0.9.0
v0.9.1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '904a805137'
${ noResults }
flux2/rfcs/0005-global-objects/README.md

2.6 KiB
Raw Blame History

RFC-0005 Memorandum on Flux Global Objects

Summary

This RFC describes in detail, the need for the concept of global objects.

Motivation

In multi-tenant environments, especially larger ones, the need for sharing objects across namespaces increases for several reasons, including security, scalability and complexity.

Goals

  • Establish a common optional 'Global' field on objects that allows the owner to share it with every other tenant in a cluster
  • Replace 'LocalObjectReference' with 'NamespaceObjectReference' in CR refs, with the required safeguards to ensure cross namespace refs are not used for non-'Global' objects.

Non-Goals

  • This is not intended at defining a comprehensive definition of granular authorization for objects

Security implications

  • Cluster admins (and in some cases tenants) might need to share some of the resources they manage to other tenants in the cluster. Since many of the types of resources that flux manage are bound to namespace local secrets (such as Providers, Gitrepositories, etc), it's not possible to share access to one of these resources without sharing the sensitive secrets they require.

  • Namespace isolation is currently available in controllers via --no-cross-namespace-refs, and while disabling these by default is good for overall security, it should be possible to override this behavior on a specific object's scope, where the owner of the object which is made globally available is responsible for the security considerations of exposing their object to other tenants. This flag also makes little difference to refs in many object types which right now only take in local refs.

  • No RBAC should be required for this, since normally the controllers themselves already have full access to every object.

Kubernetes API usage

  • In large scale multi-tenant environments, not being able to share specific resources with multiple tenants results in the need to create a (potentially) very large amount of duplicate objects with the same information, resulting in additional unnecessary storage in Kubernetes, as well as an increase in API calls

Flux's authorization model

  • While having a fine grained authorization model for flux objects would be ideal, the previously discussed requirements for it (ReferenceGrant) might take a very long time to be available and does not necessarily conflict with the concept of Global objects, which should be a simple toggle and easier for object owners to configure without requiring a long spec.

Backwards compatibility

As the NamespaceObjectReference is an extension of LocalObjectReference, backward compatibility is unaffected