search

loft-sh / vcluster

vCluster - Create fully functional virtual Kubernetes clusters - Each vcluster runs inside a namespace of the underlying k8s cluster. It's cheaper than creating separate full-blown clusters and it offers better multi-tenancy and isolation than regular namespaces.
https://www.vcluster.com
Apache License 2.0
6.16k stars 372 forks source link

Create permission for endpoints/restricted on OpenShift #280

Closed tobru closed 2 years ago

tobru commented 2 years ago

The vcluster docs mention that create permission for the endpoints/restricted resource is required. On APPUiO Cloud we do not grant this permission to our restricted (normal) users. We're wondering why this permission is needed and if there is a way to circumvent this permission. Can you give us some insights on that requirement?

matskiv commented 2 years ago

Hello @tobru This permission is required because OpenShift has a built-in admission controller(some info about it is in this comment) for the Endpoint resources, which denies the creation of the endpoints pointing into the cluster network or service network CIDR ranges unless this additional permission is given. Vcluster needs to create endpoints pointing to the service CIDR range because it synchronizes Endpoints from a virtual cluster into a host cluster to ensure that the Services will work correctly.

It should be possible to achieve the correct Services functionality without the need for synchronization of all Endpoints, so I created this issue to investigate and implement the change - #281. Once it's done, the Endpoint synchronization would become optional, and we will put the endpoints permissions(including endpoints/restricted) into the "extended permissions" section of our chart(not required by default).

tobru commented 2 years ago

Thank you very much @matskiv for the explanation, that helps to understand it. I think we can close this issue, all is tracked in #281 :+1:

matskiv commented 2 years ago

Cool, np. Okay, I'll close this one :)