[RFC] Multi-Tenant Workload Identity #5209
Conversation
matheuscscp
force-pushed
the
rfc-multi-tenant-workload-identity
branch
2 times, most recently
from
b795adf to
3034741
Compare
stefanprodan
changed the title
matheuscscp
force-pushed
the
rfc-multi-tenant-workload-identity
branch
15 times, most recently
from
5a5f4ac to
614bbc8
Compare
matheuscscp
force-pushed
the
rfc-multi-tenant-workload-identity
branch
10 times, most recently
from
f505036 to
3e9b36a
Compare
matheuscscp
force-pushed
the
rfc-multi-tenant-workload-identity
branch
from
af55097 to
ac8a8de
Compare
|
I'm now addressing the offline comments I got during KubeCon EU 2025. From @stealthybox:
From @hiddeco:
From @stefanprodan:
|
|
@stealthybox @hiddeco @stefanprodan Comments from KubeCon addressed, please feel free to do another pass/approve. |
matheuscscp
force-pushed
the
rfc-multi-tenant-workload-identity
branch
from
6de8de0 to
c76ea14
Compare
matheuscscp
force-pushed
the
rfc-multi-tenant-workload-identity
branch
4 times, most recently
from
64e29f8 to
0f4cf9f
Compare
Signed-off-by: Matheus Pimenta <matheuscscp@gmail.com>
Signed-off-by: Matheus Pimenta <matheuscscp@gmail.com>
Signed-off-by: Matheus Pimenta <matheuscscp@gmail.com>
Signed-off-by: Matheus Pimenta <matheuscscp@gmail.com>
Signed-off-by: Matheus Pimenta <matheuscscp@gmail.com>
Signed-off-by: Matheus Pimenta <matheuscscp@gmail.com>
Signed-off-by: Matheus Pimenta <matheuscscp@gmail.com>
Signed-off-by: Matheus Pimenta <matheuscscp@gmail.com>
Signed-off-by: Matheus Pimenta <matheuscscp@gmail.com>
Signed-off-by: Matheus Pimenta <matheuscscp@gmail.com>
matheuscscp
force-pushed
the
rfc-multi-tenant-workload-identity
branch
from
0f4cf9f to
d0a69fe
Compare
| is authenticating with the Kubernetes API when applying resources. If | ||
| we used the same field for both purposes users would be forced to use | ||
| multi-tenancy for both cloud and Kubernetes API interactions. |
There was a problem hiding this comment.
Putting it like this, it actually doesn't sound like a bad idea after all. Why would you want to use multi-tenancy for Kubernetes RBAC but not for cloud? Or the opposite? It's hard for me to imagine a decent use case where multi-tenancy should apply only to one of those two. That said, users currently using multi-tenancy for RBAC would suddenly be forced to use it also for cloud if we used the same field for both things, and that would be a really bad breaking change.
With all of this in mind, if there is no justifiable use case of multi-tenancy only for RBAC or only for cloud, I propose we use the existing spec.serviceAccountName and existing --default-service-account, and introduce also a feature gate to avoid the breaking change, e.g. UseServiceAccountForDecryption. This feature gate can start opt-in and then change to opt-out later.
But I'm not so much hell bent on this idea, if we can find arguments or use cases of multi-tenancy only for RBAC or only for cloud I'm totally fine with giving up on this (the existing use cases of people using multi-tenancy for RBAC do not count, my point is that they should be using multi-tenancy for cloud as well if it was supported)
There was a problem hiding this comment.
Hmmm but people could be using different cloud identities for decryption through secrets and not be using multi-tenant RBAC... Would that justify multi-tenancy for cloud but not for RBAC? 🤔 🤔 🤔
| In the `Bucket` API we have previously introduced the optional field `spec.sts`. | ||
| This field has configuration for interacting with the STS service of the cloud | ||
| provider, most specifically the `spec.sts.endpoint` field. In the specific case | ||
| of the `Bucket` API, there's also the field `spec.sts.provider`, which allows | ||
| using other STS configurations relavant only to the `generic` bucket provider, | ||
| whose underlying implementation uses the MinIO SDK (the AWS S3-compatible object | ||
| storage server). The same does not apply to the other Flux APIs, so we propose | ||
| introducing only a single optional field `spec.stsEndpoint` instead. |
There was a problem hiding this comment.
@stefanprodan I changed this part, please review. I think spec.stsEndpoint is better for the other APIs, spec.sts makes sense only for Bucket
Signed-off-by: Matheus Pimenta <matheuscscp@gmail.com>
Signed-off-by: Matheus Pimenta <matheuscscp@gmail.com>
Signed-off-by: Matheus Pimenta <matheuscscp@gmail.com>
…tial Signed-off-by: Matheus Pimenta <matheuscscp@gmail.com>
In this RFC we aim to add support for multi-tenant workload identity in Flux, i.e. the ability to specify at the object-level which set of cloud provider permissions must be used for interacting with the respective cloud provider on behalf of the reconciliation of the object. In this process, credentials must be obtained automatically, i.e. this feature must not involve the use of secrets. This would be useful in a number of Flux APIs that need to interact with cloud providers, including all controllers except helm-controller.
Preview: https://github.com/fluxcd/flux2/blob/rfc-multi-tenant-workload-identity/rfcs/0010-multi-tenant-workload-identity/README.md
Umbrella issue for implementation: #5022