capsule-proxy

capsule-proxy copied to clipboard

It would be great to run separate service meshes like Istio or Linkerd for each tenant, but I believe most would at least require access to the following cluster level resources:

MutatingWebhookConfigurations ValidatingWebhookConfigurations EndpointSlices

Having a proxied and ACL'd list of these for each tenant would be really useful to support a service mesh per tenant.

Might be possible with #185. I will keep you posted with the progress

I don't see any problem with the EndpointSlices, since it's namespaced.

NAME                              SHORTNAMES   APIVERSION                             NAMESPACED   KIND
endpointslices                                 discovery.k8s.io/v1                    true         EndpointSlice

We could add a new route for this, taking full advantage of the additional metadata for Services already supported by Capsule, which need to be documented.

Honestly, I'm not getting the point of MutatingWebhookConfigurations and ValidatingWebhookConfigurations: these are cluster-scoped resources that could impact potentially any other Namespace in the cluster.

May I ask you for a real use case to understand better your requirements?

Cluster-Scoped resources are introduced with this:

• https://github.com/projectcapsule/capsule-proxy/pull/421

You can enable it with the --feature-gates=ProxyClusterScoped=true argument for the proxy and then creating your ACLs.

Namespaced-Scoped were introduced with this:

• https://github.com/projectcapsule/capsule-proxy/pull/389

You can add the --feature-gates=ProxyAllNamespaced=true

Note these are currently both Alpha features but cover your requests use-case.

Closing due to inactivity and lack of response, besides the fact it's now supported.