Skip to content

Commit

Permalink
Disable Kustomize remote bases
Browse files Browse the repository at this point in the history
Signed-off-by: Stefan Prodan <[email protected]>
  • Loading branch information
stefanprodan committed Oct 10, 2023
1 parent 266c957 commit 39968f5
Show file tree
Hide file tree
Showing 3 changed files with 37 additions and 15 deletions.
22 changes: 15 additions & 7 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -224,11 +224,14 @@ To enforce tenant isolation, cluster admins must configure Flux to reconcile
the `Kustomization` and `HelmRelease` kinds by impersonating a service account
from the namespace where these objects are created.

[Flux v0.26] introduced built-in [multi-tenancy lockdown] features which enables tenant isolation
Flux has built-in [multi-tenancy lockdown] features which enables tenant isolation
at Control Plane level without the need of external admission controllers (e.g. Kyverno). The
recommended patch:

- Enforce controllers to block cross namespace references.
Meaning that a tenant can’t use another tenant’s sources or subscribe to their events.
- Deny accesses to Kustomize remote bases, thus ensuring all resources refer to local files.
Meaning that only approved Flux Sources can affect the cluster-state.
- Sets a default service account via `--default-service-account` to `kustomize-controller` and `helm-controller`.
Meaning that, if a tenant does not specify a service account in a Flux `Kustomization` or
`HelmRelease`, it would automatically default to said account.
Expand All @@ -243,19 +246,26 @@ This repository applies this patch automatically via
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- gotk-components.yaml
- gotk-sync.yaml
- gotk-components.yaml
- gotk-sync.yaml
patches:
- patch: |
- op: add
path: /spec/template/spec/containers/0/args/0
path: /spec/template/spec/containers/0/args/-
value: --no-cross-namespace-refs=true
target:
kind: Deployment
name: "(kustomize-controller|helm-controller|notification-controller|image-reflector-controller|image-automation-controller)"
- patch: |
- op: add
path: /spec/template/spec/containers/0/args/0
path: /spec/template/spec/containers/0/args/-
value: --no-remote-bases=true
target:
kind: Deployment
name: "kustomize-controller"
- patch: |
- op: add
path: /spec/template/spec/containers/0/args/-
value: --default-service-account=default
target:
kind: Deployment
Expand Down Expand Up @@ -362,7 +372,6 @@ Other policies to explore:
- For `HelmRepository` and `GitRepository` consider which protocols should be allowed.
- For `Bucket`, consider restrictions on providers and regions.


#### Make serviceAccountName mandatory

The lockdown patch sets a default service account that is applied to any `Kustomization` and `HelmRelease`
Expand Down Expand Up @@ -602,5 +611,4 @@ This repository contains the following GitHub CI workflows:
and tests the staging setup by running Flux in Kubernetes Kind


[Flux v0.26]: https://github.com/fluxcd/flux2/releases/tag/v0.26.0
[multi-tenancy lockdown]: https://fluxcd.io/flux/installation/configuration/multitenancy/
15 changes: 11 additions & 4 deletions clusters/production/flux-system/kustomization.yaml
Original file line number Diff line number Diff line change
@@ -1,19 +1,26 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- gotk-components.yaml
- gotk-sync.yaml
- gotk-components.yaml
- gotk-sync.yaml
patches:
- patch: |
- op: add
path: /spec/template/spec/containers/0/args/0
path: /spec/template/spec/containers/0/args/-
value: --no-cross-namespace-refs=true
target:
kind: Deployment
name: "(kustomize-controller|helm-controller|notification-controller|image-reflector-controller|image-automation-controller)"
- patch: |
- op: add
path: /spec/template/spec/containers/0/args/0
path: /spec/template/spec/containers/0/args/-
value: --no-remote-bases=true
target:
kind: Deployment
name: "kustomize-controller"
- patch: |
- op: add
path: /spec/template/spec/containers/0/args/-
value: --default-service-account=default
target:
kind: Deployment
Expand Down
15 changes: 11 additions & 4 deletions clusters/staging/flux-system/kustomization.yaml
Original file line number Diff line number Diff line change
@@ -1,19 +1,26 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- gotk-components.yaml
- gotk-sync.yaml
- gotk-components.yaml
- gotk-sync.yaml
patches:
- patch: |
- op: add
path: /spec/template/spec/containers/0/args/0
path: /spec/template/spec/containers/0/args/-
value: --no-cross-namespace-refs=true
target:
kind: Deployment
name: "(kustomize-controller|helm-controller|notification-controller|image-reflector-controller|image-automation-controller)"
- patch: |
- op: add
path: /spec/template/spec/containers/0/args/0
path: /spec/template/spec/containers/0/args/-
value: --no-remote-bases=true
target:
kind: Deployment
name: "kustomize-controller"
- patch: |
- op: add
path: /spec/template/spec/containers/0/args/-
value: --default-service-account=default
target:
kind: Deployment
Expand Down

0 comments on commit 39968f5

Please sign in to comment.