search

loft-sh / vcluster

vCluster - Create fully functional virtual Kubernetes clusters - Each vcluster runs inside a namespace of the underlying k8s cluster. It's cheaper than creating separate full-blown clusters and it offers better multi-tenancy and isolation than regular namespaces.
https://www.vcluster.com
Apache License 2.0
6.35k stars 406 forks source link

Stop synchronizing Endpoints that belong to a Service and enhance Service sync to preserve functionality #281

Closed matskiv closed 2 years ago

matskiv commented 2 years ago

What: Currently, vcluster synchronizes Endpoints from the virtual cluster into the host cluster. The main objective of this is to ensure that kubernetes services work as expected, but it should be achievable with a "translation" of the selector field of the service resources to point to the expected pods that are running in the host, and this should be implemented as part of this issue. Going forward we should not sync Endpoints that are backing Services from the virtual cluster into the host cluster. We will sync other Endpoints created by the user in the virtual cluster, but this will likely be an opt-in feature.

Why: Reduce the permission scope of the vcluster. In some cases, users don't have create/update/delete permissions for the endpoint resources. This will likely be more and more common, for example, due to CVE-2021-25740 affecting Kubernetes - https://github.com/kubernetes/kubernetes/issues/103675 (TLDR: mitigation of the CVE is to remove Endpoint permissions from the edit role). This would also allow us to reduce permissions required for installation on OpenShift. Related issue - #280

How: A deeper investigation into the viability of the described changes. E.g. other needs for Endpoints edit permissions besides basic Service functionality - leader election and "control-plane.alpha.kubernetes.io/leader" annotation? How will we be able to ignore the Service Endpoints in the endpoints controller?

tobru commented 2 years ago

Are there any plans to bring this feature into 0.7.0?

FabianKramm commented 2 years ago

@tobru this isn't currently super high priority for us, is this a problem for you because of the extra permissions required?

tobru commented 2 years ago

Yes, exactly. It blocks us from running vcluster properly on APPUiO Cloud (Multi-Tenant Shared OpenShift 4 Cluster).

FabianKramm commented 2 years ago

@tobru Mhh I see, we will definitely pick this up in the next couple of weeks, but if you are interested, we would also be willing to accept a PR for this as a separate endpoints syncer.

FabianKramm commented 2 years ago

@tobru this should be working now with the new v0.8.0-alpha.0 and the values:

sync:
  services:
    syncServiceSelector: true