search

redhat-cop / namespace-configuration-operator

The namespace-configuration-operator helps keeping configurations related to Users, Groups and Namespaces aligned with one of more policies specified as a CRs
Apache License 2.0
204 stars 55 forks source link

[FEATURE] Onboarding teams which has ability to create,delete namespaces and operate objects within namespace #56

Closed cshivashankar closed 4 years ago

cshivashankar commented 4 years ago

I don't know if the Namespace configurator currently supports this feature, but looking at the docs, I couldn't find any information about this.

Scenario : What if a team is onboarded which in turn has subteams and those subteams need to have independent sandboxes/namespaces for work. Assuming there is a team T1 and there are subteams T1A, T1B, T1C. With current onboarding, there is an ability to create namespaces and set configurations like ResourceQuota, LimitRange, PSP, etc. But if T1 needs to create different namespaces for its subteams with the same namespace configs applied to T1. How to do it? Assuming subteams are dynamic and can keep changing. There might be a requirement to create a new namespace for subteam T1D and delete namespace for team T1C. The whole point here is T1 is an onboarded entity and it won't have privileges like cluster-admin but it should have the ability to create namespaces. Permission to operate and delete namespaces should be possible only in the namespaces created by T1. So team T1 can only access or delete the namespaces it created, nothing else.

Other similar scenarios could be onboarding teams that have pipelines where the creation and deletion of the namespace is a requirement.

raffaelespazzoli commented 4 years ago

If I understand correctly this request,. you are asking for the possibility to create loops in the resource template so that multiple resources of the same type will be created based on an arbitrary list. @cnuland is working on a PR to add this feature: https://github.com/redhat-cop/operator-utils/pull/32

cnuland commented 4 years ago

Take a look at my examples here @cshivashankar https://github.com/cnuland/namespace-config-argocd-ocp-demo/blob/master/resources/onboarding-groupconfig.yaml

https://github.com/cnuland/namespace-config-argocd-ocp-demo/blob/master/resources/group.yaml

This is using the changes in operator-util that @raffaelespazzoli posted that haven't been implemented yet into any release. This should give you an idea though what we're trying to work towards soon.