This addon enables smooth integration of multi-tenancy in Kubernetes with Capsule, the GitOps-way with Flux CD.
In particular enables Tenants to manage their resources, including creating Namespaces, respecting the Flux multi-tenancy lockdown.
Tenant resources, represented as Kustomization / HelmRelease / etc. can be reconciled as Tenant owners.
This way tenants can be provided Namespace-as-a-Service in a GitOps fashion.
helm install -n capsule-system capsule-addon-fluxcd oci://ghcr.io/projectcapsule/charts/capsule-addon-fluxcdWith the addon, you as platform admin, for the oil Tenant just need a ServiceAccount with the capsule.addon.fluxcd/enabled=true annotation:
---
apiVersion: v1
kind: Namespace
metadata:
name: oil-system
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: gitops-reconciler
namespace: oil-system
annotations:
capsule.addon.fluxcd/enabled: "true"and set it as a valid oil Tenant owner:
---
apiVersion: capsule.clastix.io/v1beta2
kind: Tenant
metadata:
name: oil
spec:
additionalRoleBindings:
- clusterRoleName: cluster-admin
subjects:
- name: gitops-reconciler
kind: ServiceAccount
namespace: oil-system
owners:
- name: system:serviceaccount:oil-system:gitops-reconciler
kind: ServiceAccount
---
apiVersion: capsule.clastix.io/v1beta2
kind: CapsuleConfiguration
metadata:
name: default
spec:
userGroups:
- capsule.clastix.io
- system:serviceaccounts:oil-systemWithout the addon you would need to manually manage RBAC and kubeConfig for the Tenant owner.
The addon will automate the permissions and the kubeConfig Secret for the ServiceAccount Tenant owner in order to be used by Flux when reconciling Tenant resources.
Let's go through examples.
Consider a Tenant named oil that has a dedicated Git repository that contains oil's configurations.
You want to provide to the oil Tenant a Namespace-as-a-Service with a GitOps experience, allowing the tenant to version the configurations in a Git repository.
You, as platform admin and Tenant owner, can configure Flux reconciliation resources to be applied as Tenant owner:
---
apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
kind: Kustomization
metadata:
name: oil-apps
namespace: oil-system
spec:
serviceAccountName: gitops-reconciler
kubeConfig:
secretRef:
name: gitops-reconciler-kubeconfig
key: kubeconfig
sourceRef:
kind: GitRepository
name: oil
---
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: GitRepository
metadata:
name: oil
namespace: oil-system
spec:
url: https://github.com/oil/oil-appsLet's analyze the setup field by field:
- the
GitRepositoryand theKustomizationare in a Tenant systemNamespace - the
Kustomizationrefers to aServiceAccountto be impersonated when reconciling the resources theKustomizationrefers to: this ServiceAccount is a oil Tenant owner - the
Kustomizationrefers also to akubeConfigto be used when reconciling the resources theKustomizationrefers to: this is needed to make requests through the Capsule proxy in order to operate on cluster-wide resources as a Tenant
The oil tenant can also declare new Namespaces thanks to the segregation provided by Capsule.
Note: it can be avoided to explicitely set the the service account name when it's set as default Service Account name at Flux's kustomize-controller level via the
default-service-accountflag.
The addon can also automate the distribution of the Tenant owner's kubeConfig Secret across all Tenant's Namespacess.
This is implemented with Capsule's GlobalTenantResource custom resource.
You just need to add the annotation capsule.addon.fluxcd/kubeconfig-global=true to the Tenant owner ServiceAccount.
More information in the Capsule official guide Multi-tenancy the GitOps way.
make lintmake e2e