Skip to content
This repository has been archived by the owner on Sep 14, 2020. It is now read-only.

Namespace-scoped operators #32

Closed
10 of 11 tasks
nolar opened this issue Apr 21, 2019 · 0 comments
Closed
10 of 11 tasks

Namespace-scoped operators #32

nolar opened this issue Apr 21, 2019 · 0 comments
Assignees
@nolar
Labels
enhancement New feature or request

Comments

@nolar
Copy link
Contributor

nolar commented Apr 21, 2019
edited
Loading

Current Behaviour

Currently, --namespace= option is used only to limit the watch-event to the objects belonging to that namespace, and ignoring objects in other namespaces.

However, the framework continues to use the cluster-wide watching calls, and cluster-wide peering objects. The peering objects are now cluster-scoped by definition (in CRD), and there are no namespace-scoped peering objects at all.

Expected behaviour

As an operator developer, if I provide --namespace=something, I expect that the operator limits all its activities to that namespace only, and does not even request for the cluster-wide objects/queries — as they can be e.g. restricted by the permissions.

If I provide --namespace=something --peering=somepeering, I expect that the namespace-scoped peering object kind is used, not the cluster-scoped one.

Use-cases

The intended use-case 1: If an operator is a part of the application's deployment, and there are few instances of the same application deployed with different versions, but isolated by the namespaces. As a particular example: running a production, staging, and maybe experimental operators of the same application in different namespaces.

The intended use-case 2: Running in a cluster with strict RBAC rules, with no access to the cluster objects, restricted to one namespace only.

Steps to Reproduce the Problem

  1. Create a RBAC service account with only the namespace permissions.
  2. Deploy any of the example operators with --namespace=default (or any other namespace).
  3. Observe how it fails on api.list_cluster_custom_object() (in queueing.py/watching.py).
    • for kopfexamples
    • for kopfpeerings

Acceptance Criteria

  • Served objects:
    • with --namespace=, it uses the namespace-scoped watching api.list_namespaced_custom_object()
    • with no --namespace=, it uses the cluster-scoped watching api.list_cluster_custom_object()
  • Peering objects:
    • KopfPeering is separated to ClusterKopfPeering & KopfPeering or NamespacedKopfPeering (keep backward compatibility if possible, but align with the existing convention of Role/ClusterRole, etc.)
    • with --namespace=, the namespace-scoped peering object is used.
    • with no --namespace=, the cluster-scoped peering object is used.
    • --peering= option only specifies the peering name, but not the listing/watching mechanics.
  • Documentation:
    • RBAC configuration and deployment pattern.
    • CLI reference page.
    • Peering page.
    • A new page for cluster-vs-namespace separation ("Features" section).
  • Tests.
@nolar nolar changed the title Namespace-scoped peering Namespace-scoped operators Apr 21, 2019
This was referenced Apr 21, 2019
Closed
Closed
@nolar nolar added the enhancement New feature or request label Apr 21, 2019
@nolar nolar self-assigned this Apr 21, 2019
This was referenced Apr 22, 2019
Merged
Merged
Closed
@nolar nolar added this to the 1.0 milestone Apr 30, 2019
@nolar nolar mentioned this issue May 17, 2019
Merged
@nolar nolar closed this as completed May 28, 2019
@nolar nolar mentioned this issue Jul 31, 2019
Open
@kopf-archiver kopf-archiver bot mentioned this issue Aug 19, 2020
Closed
11 tasks
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@nolar nolar

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@nolar