Open fgiloux opened 1 year ago
kcp sync command generate manifests where the following resources: deployments.apps", "secrets", "configmaps", "serviceaccounts are always synced.
This definitely has to change. @qiujian16 has a PR up or even merged that makes the syncer automatically get the resources from the supported APIExport. I would guess with that merged, you should have a solution, shouldn't you?
Plus the topic about selective configmap/secret/serviceaccount syncing is necessary. With those two you should have Tekton-only syncing.
Plus the topic about selective configmap/secret/serviceaccount syncing is necessary. With those two you should have Tekton-only syncing.
There's an issue already about this topic: https://github.com/kcp-dev/contrib-tmc/issues/137
Is this feature still relevant, or is it made obsolete by kcp-dev/kcp#1895?
I think it relates to PR https://github.com/kcp-dev/kcp/pull/2164
After it is merged. It could work like this:
You can have two workspaces location workspace: where synctarget resides, and administrator can access user workspace: where user can access
kubectl kcp sync --apiexports root:compute|kubernetes, tekton-workspace|tekton-apiexport
to start the syncer.Does the above flow makes sense?
/transfer-issue contrib-tmc
Feature Description
I would like to have two personas that need to sync resources to a compute cluster part of our service offering:
Both administrators and end users have their own workspaces, where they are allowed to bind the apiexport of the compute cluster.
Preventing end users to create deployments in their workspace could be addressed by quotas. This is however not ideal to expose an API in their workspace that they cannot leverage, to block them to use this API through a binding of an apiexport for their own compute.
Proposed Solution
Currently I am considering creating two SyncTargets in two separate workspaces (as the APIExport is always called kubernetes) and allow:
Challenge: kcp sync command generate manifests where the following resources: deployments.apps", "secrets", "configmaps", "serviceaccounts are always synced. These manifests can be amended before they get applied to the compute cluster but:
Alternative Solutions
Want to contribute?
Additional Context
Discussion in this slack thread: https://kubernetes.slack.com/archives/C021U8WSAFK/p1663666920366639