From 9dcf3575acdae474d07a9f8152cef50ab8849169 Mon Sep 17 00:00:00 2001 From: Scott Leggett Date: Thu, 25 Feb 2021 14:29:30 +0800 Subject: [PATCH 1/3] chore: document new feature flags This documents the feature flags introduced in #2481 and #2536. --- docs/administering-lagoon/feature-flags.md | 23 ++++++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 docs/administering-lagoon/feature-flags.md diff --git a/docs/administering-lagoon/feature-flags.md b/docs/administering-lagoon/feature-flags.md new file mode 100644 index 0000000000..ee34300249 --- /dev/null +++ b/docs/administering-lagoon/feature-flags.md @@ -0,0 +1,23 @@ +# Feature flags + +Some Lagoon features can be controlled by setting feature flags. +This is designed to assist users and administrators to roll out new platform features in a controlled manner. + +## Environment variables + +The following environment variables can be set on an environment or project to toggle feature flags. + +| Environment Variable Name | Active scope\* | Version introduced | Version removed | Default Value | Description | +| --- | --- | --- | --- | --- | --- | +| `LAGOON_FEATURE_FLAG_ROOTLESS_WORKLOAD` | `build` | 2.0.0 | - | `disabled` | Set to `enabled` to set a non-root pod securty context on the pods in this environment or project.

This flag will eventually be deprecated, at which point non-root workloads will be enforced. | +| `LAGOON_FEATURE_FLAG_ISOLATION_NETWORK_POLICY` | `build` | 2.0.0 | - | `disabled` | Set to `enabled` to add a default namespace isolation network policy to each environment on deployment.

This flag will eventually be deprecated, at which point the namespace isolation network policy will be enforced.

NOTE: enabling and then disabling this feature will _not_ remove any existing network policy from previous deployments. Those must be removed manually. | + +\* Active scope indicates whether the variable must be set as `build` or `runtime` scope to take effect. `global` sets the variable in both scopes, so that will work too. + +## Cluster-level controls + +Feature flags may also be controlled at the cluster level. There is support for this in the [`lagoon-build-deploy` chart](https://github.com/uselagoon/lagoon-charts/blob/main/charts/lagoon-build-deploy/values.yaml). +For each feature flag there are two flavours of values which can be set: `default` and `force`. + +* `default` controls the default policy for environments deployed to the cluster, but can be overridden at the project or environment level by the environment variables documented above. +* `force` also controls the policy for environments deployed to the cluster, but _cannot be overridden_ by the environment variables documented above. From ebb5022c7cb9ac9ce32ec76cdfdb429f5ff78f94 Mon Sep 17 00:00:00 2001 From: Toby Bellwood Date: Fri, 9 Apr 2021 13:45:35 +1000 Subject: [PATCH 2/3] add feature flags to summary.md --- docs/SUMMARY.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/SUMMARY.md b/docs/SUMMARY.md index 69d005090e..cc7b9c7a76 100644 --- a/docs/SUMMARY.md +++ b/docs/SUMMARY.md @@ -70,6 +70,7 @@ * [GraphQL API](administering-lagoon/graphql-queries.md) * [Role-Based Access Control \(RBAC\)](administering-lagoon/rbac.md) +* [Feature Flags](administering-lagoon/feature-flags.md) * [Harbor](administering-lagoon/using_harbor/README.md) * [Security Scanning](administering-lagoon/using_harbor/security_scanning.md) * [Harbor Settings](administering-lagoon/using_harbor/harbor-settings/README.md) From d6215f6f423f1dc56e6dce9faed095bb746f5b9c Mon Sep 17 00:00:00 2001 From: Toby Bellwood Date: Thu, 28 Oct 2021 11:36:48 +1100 Subject: [PATCH 3/3] update FF docs --- docs/administering-lagoon/feature-flags.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/administering-lagoon/feature-flags.md b/docs/administering-lagoon/feature-flags.md index ee34300249..594d02142d 100644 --- a/docs/administering-lagoon/feature-flags.md +++ b/docs/administering-lagoon/feature-flags.md @@ -9,8 +9,8 @@ The following environment variables can be set on an environment or project to t | Environment Variable Name | Active scope\* | Version introduced | Version removed | Default Value | Description | | --- | --- | --- | --- | --- | --- | -| `LAGOON_FEATURE_FLAG_ROOTLESS_WORKLOAD` | `build` | 2.0.0 | - | `disabled` | Set to `enabled` to set a non-root pod securty context on the pods in this environment or project.

This flag will eventually be deprecated, at which point non-root workloads will be enforced. | -| `LAGOON_FEATURE_FLAG_ISOLATION_NETWORK_POLICY` | `build` | 2.0.0 | - | `disabled` | Set to `enabled` to add a default namespace isolation network policy to each environment on deployment.

This flag will eventually be deprecated, at which point the namespace isolation network policy will be enforced.

NOTE: enabling and then disabling this feature will _not_ remove any existing network policy from previous deployments. Those must be removed manually. | +| `LAGOON_FEATURE_FLAG_ROOTLESS_WORKLOAD` | `global` | 2.2.0 | - | `disabled` | Set to `enabled` to set a non-root pod security context on the pods in this environment or project.

This flag will eventually be deprecated, at which point non-root workloads will be enforced. | +| `LAGOON_FEATURE_FLAG_ISOLATION_NETWORK_POLICY` | `global` | 2.2.0 | - | `disabled` | Set to `enabled` to add a default namespace isolation network policy to each environment on deployment.

This flag will eventually be deprecated, at which point the namespace isolation network policy will be enforced.

NOTE: enabling and then disabling this feature will _not_ remove any existing network policy from previous deployments. Those must be removed manually. | \* Active scope indicates whether the variable must be set as `build` or `runtime` scope to take effect. `global` sets the variable in both scopes, so that will work too.