Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Restrict controller deploy namespace #148

Open
josephferrero opened this issue Jun 22, 2022 · 7 comments
Open

Restrict controller deploy namespace #148

josephferrero opened this issue Jun 22, 2022 · 7 comments
Labels
enhancement New feature or request good first issue Good for newcomers

Comments

@josephferrero
Copy link

Hello,

Is it possible to restrict where the controller can deploy resources? I understand that a namespace deployment will only monitor CRDs in the namespace, however it seems I can set the target namespace to whatever I want including kube-system. I've tried adjusting the service account attached to the controller deployment, but it doesn't seem to have any effect on which namespaces it can create resources in.

Thanks,
Joseph

@josephferrero
Copy link
Author

josephferrero commented Jun 24, 2022

@brandond - Can you assist on this? I am trying to determine how I can limit the target namespace for the helm-controller. Somehow I can target any namespace despite the service account I am using not having permissions in other namespaces. A new SA is created in the target namespace as well, and I am not sure how this is happening since again the SA I am using does not have permissions in other namespaces.

@brandond
Copy link
Member

brandond commented Jun 27, 2022

Hmm, yeah that is an interesting question. I suspect that perhaps the current RBAC is set up such that SA has access to all namespaces, instead of just the one monitored by the controller. Restricting the target namespace to either just the monitored namespace, or a provided list of namespaces, would be a good feature request.

@brandond brandond added enhancement New feature or request good first issue Good for newcomers labels Jun 27, 2022
@josephferrero
Copy link
Author

@brandond - Thanks for your response! One more question in the same vein. Rancher deploys the Traefik proxy utilizing a helm chart before I have deployed a Helm controller in any namespace. The Rancher docs say that "K3s includes a Helm Controller that manages Helm charts using a HelmChart Custom Resource Definition (CRD)."

My question is, which Helm Controller is being used to deploy this? I don't see any Helm Controller pod, so I am confused how it's being deployed.

@brandond
Copy link
Member

brandond commented Jun 28, 2022

K3s embeds etcd, the core Kubernetes control-plane components, and several additional controllers (including the one from this project) in the main k3s binary.

@josephferrero
Copy link
Author

Ah! Thank you @brandond.

@josephferrero
Copy link
Author

@brandond - I think that since this is already embedded in k3s, the embedded helm controller is overriding the namespaced helm controller I am deploying. I am assuming the helm controller that comes baked in is likely scoped to the cluster, and so its monitoring CRDs in all namespace. Is that correct?

@brandond
Copy link
Member

that is correct. On recent releases, you can start k3s with --disable-helm-controller if you want to turn it off.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request good first issue Good for newcomers
Projects
None yet
Development

No branches or pull requests

2 participants