Multi-Tenancy Management in Flux2
Flux2 is a GitOps controller for Kubernetes that allows different organizations and/or teams to share the same Kubernetes control plane, which is referred to as “multi-tenancy”. Flux2 supports segmentation and isolation of resources by using namespaces and role-based access control (RBAC) to make this safe.
Design Philosophy
Flux2 defers to Kubernetes’ native RBAC to specify which operations are authorized when processing its custom resources. By default, this means operations are constrained by the service account under which the controllers run, which has the cluster-admin role bound to it. In a multi-tenant deployment, each tenant needs to be restricted in the operations that can be done on their behalf. Since tenants control Flux via its API objects, this becomes a matter of attaching appropriate RBAC rules to each tenant.
Programming languages
Flux2 is written in Go, with some parts in Helm charts and Jsonnet.
Flux
Flux is a tool for continuous delivery to Kubernetes, providing a Kubernetes-native way of managing applications. It can watch for changes in Git repositories and automatically apply them to a cluster, as well as handle rolling updates and rollbacks.
Kustomize
Kustomize is a standalone tool to customize Kubernetes objects through a kustomization file. It simplifies the configuration management of Kubernetes objects by allowing you to define a base configuration and then apply overlays on top of it to customize it for different environments.
Git
Git is a distributed version control system that allows for easy collaboration and tracking of changes. Flux2 uses Git as a source of truth for the desired state of the cluster, and can automatically apply changes from Git to the cluster.
Kubernetes
Kubernetes is an open-source platform for automating deployment, scaling, and management of containerized applications. Flux2 is a Kubernetes controller that extends the Kubernetes API to provide GitOps functionality.
Helm
Helm is a package manager for Kubernetes that allows you to package your Kubernetes deployments into reusable components, called charts. Flux2 can work with Helm to deploy and manage Helm charts in a cluster.
Kyverno
Kyverno is a policy engine for Kubernetes that allows you to define and enforce policies for your cluster. Flux2 can use Kyverno to enforce policies on the cluster, such as ensuring that all pods have the correct labels.
sops
sops is a tool for managing secrets on Kubernetes. It allows you to encrypt and decrypt secrets, and can be used with Flux2 to automatically apply encrypted secrets to a cluster.
