search

fluxcd / flux

Successor: https://github.com/fluxcd/flux2
https://fluxcd.io
Apache License 2.0
6.9k stars 1.08k forks source link

Using AllowedNamespaces and CreateCluster parameters causes that there's no access to global resources #3612

Closed trepafi closed 2 years ago

trepafi commented 2 years ago

Describe the bug

When we setup allowedNamespaces parameter to let Flux managing only the specific namespaces we are forced to set clusterRole.create: false. This created a bunch of Roles for each namespace instead of a global ClusterRole

The problem comes when there are namespaces that needs access to global resources (like Cert Manager ClusterIssuer ) or any CRD (like VolumeSnapshot) . Causing errors like this one 

customresourcedefinitions.apiextensions.k8s.io \"thanosrulers.monitoring.coreos.com\" is forbidden: User \"system:serviceaccount:flux:flux\" cannot get resource \"customresourcedefinitions\" in API group \"apiextensions.k8s.io\" at the cluster scope

It would be easier to have a --skip-namespaces attribute

Steps to reproduce

  1. Set allowedNamespaces attribute with the list of namespaces allowed
  2. Set clusterRole.create to false
  3. Upgrade Flux Helm release
  4. Let Flux to sync up

Expected behavior

Flux has access to all resources needed by deployed applications

Kubernetes version / Distro / Cloud provider

Amazon EKS

Flux version

Flux v1.20

Git provider

No response

Container Registry provider

No response

Additional context

No response

Maintenance Acknowledgement

Code of Conduct

kingdonb commented 2 years ago

Thanks for the report!

I'm not sure I understand what your intention is with this setting. The intention of the allowedNamespaces setting is to cordon off an instance of Flux so that it is corralled inside of a namespace, or several namespaces, as a "tenant". These cluster-wide resources or non-namespaced resources require a cluster-admin level access to manage so, when you manage them by definition you are no longer a "tenant" – in Flux v2 examples, these types of Kustomizations are considered "infrastructure" as they cannot be safely tenanted while retaining their function.

Flux will only reconcile resources that it has found mentioned in the git repository. So I guess I'm not sure why you need Flux to "skip namespaces" if you aren't trying to build a multi-tenant configuration with isolated tenants.

An aside, we're really keen to get everyone on Flux v2, I'm not sure if you've seen it, but there is a migration guide: https://fluxcd.io/docs/migration/flux-v1-migration/

The Flux project has made a public commitment to support Flux v1 with migration and security upgrades. This has been in effect since June of last year. Since October 2020, the Flux project (Flux v1) has formally been in maintenance mode, which also means no new features will be added.

This information is posted here, on the Migration Timetable: https://fluxcd.io/docs/migration/timetable/

I can offer various forms of support to help get you migrated to Flux v2, and I'm interested in your feedback if there are blockers that have prevented you from migrating. But Flux v1 is near End of Life and this enhancement request is unlikely to be addressed with a new feature update.