Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add clusterresources interception configuration #1003

Closed
wants to merge 4 commits into from
Closed

feat: add clusterresources interception configuration #1003

wants to merge 4 commits into from

Conversation

oliverbaehler
Copy link
Collaborator

@oliverbaehler oliverbaehler commented Mar 5, 2024
edited
Loading

While most of the changes happen in the capsule-proxy (see the corresponding pull request: ) the owner spec for all the tenants is extended and the capsule-proxy uses this api definition.

With this change you have additional Control of cluster Resources

apiVersion: capsule.clastix.io/v1beta2
kind: Tenant
metadata:
  name: oil
spec:
  owners:
  - kind: User
    name: alice
    clusterResources:
    - apiGroups: 
      - kyverno.io/*
      operations:
      - "List"
      resources:
      - "*"
      selector:
        matchLabels:
          consumer: tenant
    - apiGroups: 
      - admissionregistration.k8s.io/v1
      resources:
      - "mutatingwebhookconfigurations"
      selector:
        matchLabels:
          consumer: tenant

Note all the fields are marked as required. By default the List Operation is injected. We expect a selector to be set. This is not directly enforced with this approach, however it's the easiest way to go about this with clear documentation. Setting no selectors will have no impact on the proxy. If no requirements can be extracted, the doesnotexist Exists requirement is added. Therefor preventing from listing all the resources.

@netlify Netlify
Copy link

netlify bot commented Mar 5, 2024
edited
Loading

Deploy Preview for capsule-documentation ready!

Name Link
🔨 Latest commit 4349140
🔍 Latest deploy log https://app.netlify.com/sites/capsule-documentation/deploys/65e8a26c3c57e80008aca887
😎 Deploy Preview https://deploy-preview-1003--capsule-documentation.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

@oliverbaehler oliverbaehler added this to the v0.7.0 milestone Mar 6, 2024
@oliverbaehler oliverbaehler mentioned this pull request Mar 23, 2024
Closed
prometherion
prometherion reviewed Mar 24, 2024
View reviewed changes
Copy link
Member

@prometherion prometherion left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we should start creating a separation of concerns between Capsule and its Proxy: since this is strictly related to the latter, shouldn't be better to move this logic there, as we did with the ProxySetting?

@oliverbaehler
Copy link
Collaborator Author

@prometherion thanks for your review. Sure thing, but that would mean with a new stable release we would also remove the proxysettings on the ownerspec, correct?

@prometherion
Copy link
Member

I'd say so, yes, especially considering we want to act as a framework.

@oliverbaehler oliverbaehler mentioned this pull request Mar 28, 2024
Open
@oliverbaehler oliverbaehler removed this from the v0.7.0 milestone Apr 10, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@prometherion prometherion prometherion left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@oliverbaehler @prometherion