search

vexxhost / magnum-cluster-api

Cluster API driver for OpenStack Magnum
Apache License 2.0
44 stars 20 forks source link

Document isolated clusters #209

Open mnaser opened 12 months ago

mnaser commented 12 months ago

We've done a lot of really cool work around isolated clusters with the proxy, but none of it is documented. We should do that.

jrosser commented 9 months ago

I did a walk though with my team of deploying m-capi in our lab environment this week, and there was surprise that we dropped the most privileged .kube/config onto the node running the proxy to allow it to interact with the control plane. Is there a "least privilege" approach possible here with more minimally privileged credential?

This could be that it's possible but I just don't know how to do it, or it could be more of a bug/feature that there isn't really a suitable RBAC concept in the control plane cluster.

mnaser commented 5 months ago

@jrosser: I think this would be something that would need to be done on the deployment level where we create an RBAC policy with the minimum things (probably endpoint slice, etc).

I think this could be figured out with trial-error.