search

gravitational / teleport

The easiest, and most secure way to access and protect all of your infrastructure.
https://goteleport.com
GNU Affero General Public License v3.0
17.69k stars 1.77k forks source link

Cleanup the vestigial "namespace" parameter #49509

Open codingllama opened 3 days ago

codingllama commented 3 days ago

This is not about k8s namespaces.

Various Teleport resources have a "namespace" parameter (example1, example2, example3) dating from the Gravity days. That parameter is largely unsupported and fixed to apidefaults.Namespace in the vast majority of the code.

Removing "namespace" clears cruft, confusion and simplify various parts of Teleport.

codingllama commented 3 days ago

An early example of an attempted cleanup: https://github.com/gravitational/teleport/commit/ae99259f41276f9261592068c8c9ae8f17f8b781.

codingllama commented 3 days ago

The main difficulty here is that namespaces are baked into some of the older Teleport resources (namely Servers, Apps and Databases) in a way that makes it difficult to reason about whether a non-"default" may actually be used (although anecdotal evidence seems to support they aren't).

A phased approach where we gradually introduce errors for non-"default" namespaces (so we gain confidence that they aren't used) could be a good way to do it. After a few versions without errors we can more aggressively assume "default" and remove difficult references.

In the short term I would expect some cleanups/simplification but no permanent solution.

Edit: it's also worth mentioning lib/services.MatchNamespace, in RBAC land, for completeness.