Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bind installations to clusters instead of users #386

Open
ncbkr opened this issue Jul 26, 2022 · 3 comments
Open

Bind installations to clusters instead of users #386

ncbkr opened this issue Jul 26, 2022 · 3 comments

Comments

@ncbkr
Copy link

ncbkr commented Jul 26, 2022

Use Case

It would be great if installations could be bound to a cluster. We have many different cluster set up. we observe that switching between service accounts and managing user to service account mappings is becoming error prone and difficult to maintain.

If installations were bound to clusters, the service accounts would be a lot easier to maintain. As this way, service accounts can have multiple clusters in multiple cloud platforms.

Ideas of Implementation

Additional Info

Message from the maintainers:

Excited about this feature? Give it a 👍. We factor engagement into prioritization.
@davidspek
Copy link
Contributor

Another reason to bind installations to clusters, is that this opens up the possibility to “share” clusters between users in an account. This can be particularly useful, for example, if another user needs to be able to change the OIDC configuration of an application or uninstall an application or package in our API.

While a service account somewhat solves for this problem, the fact is that people will create an account in Plural and a user will deploy a cluster without thinking of these limitations. After which all the apps deployed on that cluster can only be managed by that single user.
A perfect example of this is our own production cluster that runs Plural.

I think traditionally a service account is more like a way for another service or workload to access something (an account for a service with certain bound permissions), and not really an analogue for standard users.

@davidspek
Copy link
Contributor

Another reason, as @ncbkr already mentioned, is that currently users are pinned to a specific cloud provider as otherwise the app upgrade streams will collide. For example, the GCP specific packages would get deployed in an AWS cluster/repository.

Pinning the cloud provider to users has already caused issues when people try and switch between providers in their account. A common example for this happening is a user first deploying a local KinD cluster to test Plural, and afterwards trying to deploy a production cluster on one of the cloud providers. It causes a lot of user friction to need to explain to them how to unpin their user from one cloud provider before using another.

@davidspek
Copy link
Contributor

Another issue related to this is that trying to run Plural in CI to test an application would mean a new Plural service account will need to be made in each CI run since installations are user bound and not cluster bound.

@avaidyanatha avaidyanatha added the request Feature request from the community. label Dec 13, 2022
@swoodward90 swoodward90 removed the request Feature request from the community. label Sep 21, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@swoodward90 @davidspek @avaidyanatha @ncbkr