Skip to content

Commit

Permalink
Merge pull request #19 from jacekn/docs
Browse files Browse the repository at this point in the history 
Make tenant isolation paragraph more explicit
  • Loading branch information
@stefanprodan
stefanprodan authored Feb 19, 2021
2 parents 0629f26 + 46a6407 commit f24fcad
Showing 1 changed file with 2 additions and 2 deletions.
4 changes: 2 additions & 2 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -137,10 +137,10 @@ the dev-team repository must contain Kubernetes objects scoped to the `apps` nam

## Enforce tenant isolation

To enforce tenant isolation, cluster admins should configure Flux to reconcile
To enforce tenant isolation, cluster admins must configure Flux to reconcile
the `Kustomization` and `HelmRelease` kinds by impersonating a service account
from the namespace where these objects are created. In order to make the
`spec.ServiceAccountName` field mandatory, you can use a validation webhook like
`spec.ServiceAccountName` field mandatory, you should use a validation webhook, for example
[Kyverno](https://github.com/kyverno/kyverno) or [OPA Gatekeeper](https://github.com/open-policy-agent/gatekeeper).
On cluster bootstrap, you need to configure Flux to deploy the validation webhook and its policies before
reconciling the tenants repositories.
Expand Down

0 comments on commit f24fcad

Please sign in to comment.