yoyoraso
commented
7 months ago Hi, I have a question related to the namespace isolation is it possible to deploy one pulumi operator in one namespace to watch and create stacks across the cluster in all namespaces ?
Cross-namespace refs won't work with the provided configuration, which gives RBAC permissions for one namespace only. Granting permissions to other namespaces means they are also accessible to the programs run by stacks, which is a security hole.
Therefore: guard the use of
api/pulumi/shared/SecretRef.Namespace, and watching >1 (or all) namespaces withWATCH_NAMESPACE, with an environment variableINSECURE_NO_NAMESPACE_ISOLATION. This must be set to1ortrueto enable cross-namespace operation.This is a breaking change for anyone running the operator with either an empty value, or a comma-separated list (e.g.,
ns1,ns2forWATCH_NAMESPACE; and, for anyone using cross-namespace secret references (i.e., with a value in.namespaceunder one of the fields listed below). The documented means of installing the operator setsWATCH_NAMESPACEto be the namespace in which the operator is deployed.References in Stack which can be cross-namespace (
*indicates there's a list or map):.spec.envRefs[*].secret.spec.secretRefs[*].secret.spec.gitAuth.accessToken.secret.spec.gitAuth.sshAuth.sshPrivateKey.secret.spec.gitAuth.sshAuth.password.secret.spec.gitAuth.basicAuth.userName.secret.spec.gitAuth.basicAuth.password.secretTo fix the breakage:
WATCH_NAMESPACEwith an empty value or several values, modify your configuration so that you're running the operator in each namespace where you have Stack objects. (This PR extends the provided Pulumi programs so they will do this for you.)INSECURE_NO_NAMESPACE_ISOLATIONto the operator deployment spec, in the same place asWATCH_NAMESPACESis defined. Be aware that this is really only suitable for "single tenant" clusters -- when you are happy for anyone with access to have access to everything.