search

kptdev / kpt

Automate Kubernetes Configuration Editing
https://kpt.dev
Apache License 2.0
1.7k stars 228 forks source link

Support kpt live without cluster wide permissions #1546

Open howardjohn opened 3 years ago

howardjohn commented 3 years ago

Is your feature request related to a problem? Please describe.

Currently, kpt live, like helm and kustomize, can be used by users without cluster admin permissions. Once ResourceGroup replaces configmap for inventory tracking, it seems this will no longer be the case. While namespace administrators may use it once the cluster admin has created the CRD, they cannot just use it out of the box. This makes kpt live not a viable alternative to kubectl apply or similar tools for many environments.

Describe the solution you'd like

Anything that doesn't require cluster wide privileges

Describe alternatives you've considered

Additional context

Many environments have users that are given access to only certain namespaces. They cannot install cluster scoped resources. These users may want to use kpt live because it's great, but will be unable to (or, at least it will be harder to) if it requires a CRD.

bgrant0607 commented 2 years ago

We're adding more server-side components, such as the ResourceGroup controller, Config Sync, and the Porch server and controller, which depend on CRDs. Probably the package functionality will eventually depend on repo registration, also.

Maybe an alternate code path using ConfigMaps could be maintained for narrower uses of kpt live, if someone wanted to contribute that, but it's not consistent with the project's current direction. @mortent may have thoughts.

mortent commented 2 years ago

As mentioned in the issue, kpt used to rely on a ConfigMap to store the inventory list rather than the ResourceGroup type. We chose to change to use a CRD here because encoding data into the ConfigMap turned out to have some challenges and we wanted to add additional information, which is easier to represent in a CRD. It is possible to define a way to include this in a ConfigMap, but I don't think it is something we are likely to prioritize.

howardjohn commented 2 years ago

I was hoping kpt would be able to be a (much) smarter kubectl apply. It serves that roll pretty well today, and I don't think there are any other tools that come close. I understand that isn't the goal/direction of the project but it does seem like a bit of a gap in the ecosystem.