capsule icon indicating copy to clipboard operation
capsule copied to clipboard

Published 20 hours ago verified publisher icon projectcapsule

Add `additionalClusterRoleBindings` to allow setting cluster wide access for a tenant.

Open devantler opened this issue 8 months ago • 1 comments

Describe the feature

We have a need to control cluster-scoped RBAC for a Tenant, to allow it cluster-scoped access to things outside of its Tenant. Today we do this by creating native ClusterRole and ClusterRoleBinding resources next to the capsule.clastix.io/v1beta2.Tenant resource. This works, but we would love a more Capsule-native way of doing this.

The concrete need spawned as we want to install the Grafana Alloy Agent in a Capsule Tenant, and allow it to scrape and monitor services, nodes, etc, in the full cluster, while still ensuring its has least-privilege.

It would be great if an additional object was added to the Tenant CR, so this is possible with an additionalClusterRoleBindings object alike so:

apiVersion: capsule.clastix.io/v1beta2
kind: Tenant
metadata:
  name: oil
spec:
  owners:
  - name: alice
    kind: User
  additionalClusterRoleBindings:
  - clusterRoleName: 'prometheus-servicemonitors-viewer'
    subjects:
    - ...

Expected behavior

Allow controlling cluster-scoped RBAC for tenants in a Capsule-native way.

devantler avatar Feb 24 '25 11:02 devantler