flux2-multi-tenancy icon indicating copy to clipboard operation
flux2-multi-tenancy copied to clipboard

Published 20 hours ago verified publisher icon fluxcd

Tenant RBAC enhancement

Open venkatesh-mb opened this issue 2 years ago • 3 comments

Is there any example that we can extend tenant role bindings to apply cluster level?

We have a use case where my ingress controller have some cluster level roles and bindings which are not possible to apply with existing tenant role bindings.

Can you suggest how can we go with this issue?

venkatesh-mb avatar Jun 23 '22 02:06 venkatesh-mb

Place the ingress controller Flux HelmRelease or Flux Kustomization in the flux-system namespace and set the service account to either helm-controller or kustomize-controller. Or you could create a dedicated tenant for cluster admins, where you would modify the RoleBinding to be a ClusterRoleBinding.

stefanprodan avatar Jun 23 '22 05:06 stefanprodan

Thanks @stefanprodan . We have followed the same way for deploying cluster level tools. But we have some other applications which we want to go with tenant level. Yes, i am thinking of creating a new tenant create new service account but i am having difficulty what set of RBAC we should give it that tenant to have access to apply changes at cluster role.

venkatesh-mb avatar Jun 23 '22 05:06 venkatesh-mb

As I said change the RoleBinding into a ClusterRoleBinding here https://github.com/fluxcd/flux2-multi-tenancy/blob/main/tenants/base/dev-team/rbac.yaml#L20

stefanprodan avatar Jun 23 '22 05:06 stefanprodan