pulumi-kubernetes-operator icon indicating copy to clipboard operation
pulumi-kubernetes-operator copied to clipboard
verified publisher icon pulumi

Add single-namespace deployment mode

Open EronWright opened this issue 1 year ago • 2 comments

A single-namespace deployment of PKO is one where the operator serves only its own namespace, and doesn't require the installation of a ClusterRole or ClusterRoleBinding. Of course, PKO requires various CRDs be installed, so having admin rights to install cannot be avoided altogether.

PKOv2 is designed to natively support multi-tenancy across namespaces without needing to deploy separate instances of the operator into each namespace. Looking back at https://github.com/pulumi/pulumi-kubernetes-operator/pull/328, we see that the ability to deploy to multiple namespaces was added to address a lack of isolation: https://github.com/pulumi/home/issues/2330. So, single-namespace mode isn't needed for the multi-tenancy use-case anymore.

Aside from multi-tenancy, a reasonable use-case is for non-admins to be able to install the operator into their own namespace.

Implementation-wise, we need to:

  • add code to the manager to scope its cache and its watches to a WATCH_NAMESPACE.
  • optional: make a deploy app that can target a specific namespace. We might need a different kustomization overlay for this, or might need to port the manifests into Pulumi code.
  • update the helm chart to support this mode.

EronWright avatar Sep 26 '24 18:09 EronWright

Added to epic https://github.com/pulumi/pulumi-kubernetes-operator/issues/586

cleverguy25 avatar Sep 26 '24 18:09 cleverguy25

Closes: https://github.com/pulumi/pulumi-kubernetes-operator/issues/279 Closes: https://github.com/pulumi/pulumi-kubernetes-operator/issues/247

EronWright avatar Oct 29 '24 23:10 EronWright