fluxcd / flux2-multi-tenancy

Community

This repository serves as a starting point for managing multi-tenant clusters with Git and Flux v2. [Source: README.md]

Getting Involved

  • Contribute Code: The project welcomes contributions from the community. You can find issues labeled “good first issue” in the GitHub repository that are a good starting point for new contributors.
  • Report Issues: If you encounter a bug or have a feature request, please open an issue in the GitHub repository.
  • Discuss: Join the community on the Flux Slack channel for discussions about Flux and multi-tenancy.

Roles and Responsibilities

Platform Admin

  • Has cluster admin access to the fleet of clusters
  • Has maintainer access to the fleet Git repository
  • Manages cluster-wide resources (CRDs, controllers, cluster roles, etc.)
  • Onboards the tenant’s main GitRepository and Kustomization
  • Manages tenants by assigning namespaces, service accounts and role binding to the tenant’s apps [Source: README.md]

Tenant

  • Has admin access to the namespaces assigned to them by the platform admin
  • Has maintainer access to the tenant Git repository and apps repositories
  • Manages app deployments with GitRepositories and Kustomizations
  • Manages app releases with HelmRepositories and HelmReleases [Source: README.md]

Default Service Account

The repository automatically sets a default service account via --default-service-account to kustomize-controller and helm-controller. This means that, if a tenant does not specify a service account in a Flux Kustomization or HelmRelease, it would automatically default to said account. [Source: README.md]

It is recommended that the default service account has no privileges, and each named service account used observes the least privilege model. [Source: README.md]

This repository applies this patch automatically via kustomization.yaml in both clusters. [Source: README.md]

apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- gotk-components.yaml
- gotk-sync.yaml
patches:
- patch: |
- op: add
path: /spec/template/spec/containers/0/args/-
value: --no-cross-namespace-refs=true
target:
kind: Deployment
``` [Source: README.md]

When Flux is bootstrapped with the patch both `kustomize-controller` and `helm-controller` will impersonate the `default` service account in the tenant namespace when applying changes to the cluster. The `default` service account exists in all namespaces and should always be kept without any privileges.  [Source: README.md]

To enable a tenant to operate, a service account must be created with the required permissions and its name set to the `spec.serviceAccountName` of all `Kustomization` and `HelmRelease` resources the tenant has. [Source: README.md]