profile
viewpoint
If you are wondering where the data of this site comes from, please visit https://api.github.com/users/clastix/events. GitMemory does not store any data, but only uses NGINX to cache data for a period of time. The idea behind GitMemory is simply to give users a better reading experience.
Clastix Labs clastix Italy clastix.io Cloud Native Solutions across Edge, Cloud, and Data Center.

clastix/capsule 563

Kubernetes Operator for multi-tenancy

clastix/kubelived 48

keepalived for kubernetes control plane

clastix/capsule-lens-extension 24

Lens Extension for Capsule Operator

clastix/capsule-proxy 21

Reverse proxy for Capsule Operator.

clastix/kubectl-login 4

kubectl login manager

clastix/kubectl 1

Kubernetes CLI running in a container. ARM supported.

clastix/capsule-helm-chart 0

:no_entry: [DEPRECATED] Active at https://github.com/clastix/capsule/tree/master/charts/capsule

clastix/charts 0

Clastix Open Source projects Charts

clastix/coaks-baseline-architecture 0

Capsule over AKS baseline reference architecture

clastix/hiring 0

Job descriptions for our open roles

startedclastix/capsule

started time in 5 hours

push eventclastix/charts

prometherion

commit sha b57c0dfdc56a939d5eec2b32509c2423cb14868a

Publish capsule-proxy-0.1.5.tgz

view details

push time in a day

push eventclastix/capsule-proxy

Maxim Fedotov

commit sha 37b63310e6f8e40fb23d98f5d6979dccdab9c41a

build(helm): update chart version to 0.1.5 and app version to 0.1.1 (#148) Co-authored-by: Maksim Fedotov <m_fedotov@wargaming.net>

view details

push time in a day

issue closedclastix/capsule-proxy

Update capsule-proxy chart version

If order to support changes in capsule-proxy v0.1.1 version we need also to update version of capsule-proxy helm chart

closed time in a day

MaxFedotov

push eventclastix/capsule

alegrey91

commit sha d1736bbe8f62ee3973f32a3c4c8418e7dc7ebd63

refactor(test): switch from kubernetes version control to NoKindMatchError

view details

push time in a day

issue openedclastix/capsule-proxy

Update capsule-proxy chart version

If order to support changes in capsule-proxy v0.1.1 version we need also to update version of capsule-proxy helm chart

created time in a day

issue commentclastix/capsule

Make programmable deny of wildcard hostnames

For the v1beta1 (and deprecated v1alpha1) versions, this check can be put in place using the annotation capsule.clastix.io/deny-wildcard=true.

The default value, since annotation key is not available, is false.

prometherion

comment created time in a day

push eventclastix/capsule

alegrey91

commit sha cdb372332f7157fd935761800100e746ef61ea3f

refactor(test): switch from kubernetes version control to NoKindMatchError

view details

push time in a day

push eventclastix/capsule

Bright Zheng

commit sha 0039c91c236288ef3082f77cd8c092ba730ce4fb

docs: fix doc minor issues (#425)

view details

push time in a day

PR merged clastix/capsule

fix doc minor issues

IMHO, this is the best set of docs regarding what considerations must be taken while thinking/designing multitenancy support in Kubernetes.

While walking the docs through one by one, I spotted some small issues and this is a small PR to fix all I found.

+16 -13

2 comments

4 changed files

brightzheng100

pr closed time in a day

issue commentclastix/capsule

tenant owner can't impersonate a namespace admin

@brightzheng100 thanks for your suggestion, definitively something we can consider for next releases.

brightzheng100

comment created time in a day

startedclastix/kubelived

started time in a day

issue openedclastix/capsule-proxy

armv7/arm64 support

As clastix/capsule#244, we should provide arm support for capsule-proxy for the said arm architectures.

Our @ptx96 is the man to get this done! 🚀

created time in a day

startedclastix/capsule-proxy

started time in a day

created tagclastix/capsule-proxy

tagv0.1.1

Reverse proxy for Capsule Operator.

created time in a day

release clastix/capsule-proxy

v0.1.1

released time in a day

issue commentclastix/capsule

tenant owner can't impersonate a namespace admin

I don't know the rationale behind the ClusterRole/admin design in terms of permissions, but that makes some sense too.

As we're assuming the Tenant Owner works like the Cluster Admin in the assigned namespaces, so this security issue shouldn't be a big concern just like we shouldn't challenge why Cluster Admin can impersonate anyone within the assigned cluster.

So this may raise a potential requirement, where a custom cluster role, instead of the in-built admin may be used while creating the Tenant for the assigned Tenant Owners.

In this case, the design might be slightly changed to something like:

type OwnerSpec struct {
	Name string `json:"name"`
	Kind Kind   `json:"kind"`
        // +kubebuilder:default=admin
	Role string `json:"role,omitempty"`
}

Not sure whether this makes any sense, thanks!

brightzheng100

comment created time in a day

issue commentclastix/capsule

tenant owner can't impersonate a namespace admin

@brightzheng100 Thanks for reporting this issue.

Currently, Capsule operator creates a RoleBinding between the tenant owner identity, e.g. alice user and the regular user-facing ClusterRole admin

$ kubectl get rolebindings -n oil-development
NAME                    ROLE                                    AGE
namespace-deleter       ClusterRole/capsule-namespace-deleter   8d
namespace:admin         ClusterRole/admin                       8d

The User-facing ClusterRole admin does not provide users and groups impersonating but the serviceaccounts

$ kubectl describe ClusterRole/admin
Name:         admin
Labels:       kubernetes.io/bootstrapping=rbac-defaults
Annotations:  rbac.authorization.kubernetes.io/autoupdate: true
PolicyRule:
  Resources                                       Non-Resource URLs  Resource Names  Verbs
  ---------                                       -----------------  --------------  -----
  clusterpolicies.kyverno.io                      []                 []              [*]
  clusterreportchangerequests.kyverno.io          []                 []              [*]
  policies.kyverno.io                             []                 []              [*]
  reportchangerequests.kyverno.io                 []                 []              [*]
  clusterpolicyreports.wgpolicyk8s.io/v1alpha1    []                 []              [*]
  policyreports.wgpolicyk8s.io/v1alpha1           []                 []              [*]
  rolebindings.rbac.authorization.k8s.io          []                 []              [create delete deletecollection get list patch update watch]
  roles.rbac.authorization.k8s.io                 []                 []              [create delete deletecollection get list patch update watch]
  configmaps                                      []                 []              [create delete deletecollection patch update get list watch]
  endpoints                                       []                 []              [create delete deletecollection patch update get list watch]
  persistentvolumeclaims                          []                 []              [create delete deletecollection patch update get list watch]
  pods                                            []                 []              [create delete deletecollection patch update get list watch]
  replicationcontrollers/scale                    []                 []              [create delete deletecollection patch update get list watch]
  replicationcontrollers                          []                 []              [create delete deletecollection patch update get list watch]
  services                                        []                 []              [create delete deletecollection patch update get list watch]
  daemonsets.apps                                 []                 []              [create delete deletecollection patch update get list watch]
  deployments.apps/scale                          []                 []              [create delete deletecollection patch update get list watch]
  deployments.apps                                []                 []              [create delete deletecollection patch update get list watch]
  replicasets.apps/scale                          []                 []              [create delete deletecollection patch update get list watch]
  replicasets.apps                                []                 []              [create delete deletecollection patch update get list watch]
  statefulsets.apps/scale                         []                 []              [create delete deletecollection patch update get list watch]
  statefulsets.apps                               []                 []              [create delete deletecollection patch update get list watch]
  horizontalpodautoscalers.autoscaling            []                 []              [create delete deletecollection patch update get list watch]
  cronjobs.batch                                  []                 []              [create delete deletecollection patch update get list watch]
  jobs.batch                                      []                 []              [create delete deletecollection patch update get list watch]
  daemonsets.extensions                           []                 []              [create delete deletecollection patch update get list watch]
  deployments.extensions/scale                    []                 []              [create delete deletecollection patch update get list watch]
  deployments.extensions                          []                 []              [create delete deletecollection patch update get list watch]
  ingresses.extensions                            []                 []              [create delete deletecollection patch update get list watch]
  networkpolicies.extensions                      []                 []              [create delete deletecollection patch update get list watch]
  replicasets.extensions/scale                    []                 []              [create delete deletecollection patch update get list watch]
  replicasets.extensions                          []                 []              [create delete deletecollection patch update get list watch]
  replicationcontrollers.extensions/scale         []                 []              [create delete deletecollection patch update get list watch]
  ingresses.networking.k8s.io                     []                 []              [create delete deletecollection patch update get list watch]
  networkpolicies.networking.k8s.io               []                 []              [create delete deletecollection patch update get list watch]
  poddisruptionbudgets.policy                     []                 []              [create delete deletecollection patch update get list watch]
  deployments.apps/rollback                       []                 []              [create delete deletecollection patch update]
  deployments.extensions/rollback                 []                 []              [create delete deletecollection patch update]
  localsubjectaccessreviews.authorization.k8s.io  []                 []              [create]
  pods/attach                                     []                 []              [get list watch create delete deletecollection patch update]
  pods/exec                                       []                 []              [get list watch create delete deletecollection patch update]
  pods/portforward                                []                 []              [get list watch create delete deletecollection patch update]
  pods/proxy                                      []                 []              [get list watch create delete deletecollection patch update]
  secrets                                         []                 []              [get list watch create delete deletecollection patch update]
  services/proxy                                  []                 []              [get list watch create delete deletecollection patch update]
  bindings                                        []                 []              [get list watch]
  events                                          []                 []              [get list watch]
  limitranges                                     []                 []              [get list watch]
  namespaces/status                               []                 []              [get list watch]
  namespaces                                      []                 []              [get list watch]
  persistentvolumeclaims/status                   []                 []              [get list watch]
  pods/log                                        []                 []              [get list watch]
  pods/status                                     []                 []              [get list watch]
  replicationcontrollers/status                   []                 []              [get list watch]
  resourcequotas/status                           []                 []              [get list watch]
  resourcequotas                                  []                 []              [get list watch]
  services/status                                 []                 []              [get list watch]
  controllerrevisions.apps                        []                 []              [get list watch]
  daemonsets.apps/status                          []                 []              [get list watch]
  deployments.apps/status                         []                 []              [get list watch]
  replicasets.apps/status                         []                 []              [get list watch]
  statefulsets.apps/status                        []                 []              [get list watch]
  horizontalpodautoscalers.autoscaling/status     []                 []              [get list watch]
  cronjobs.batch/status                           []                 []              [get list watch]
  jobs.batch/status                               []                 []              [get list watch]
  daemonsets.extensions/status                    []                 []              [get list watch]
  deployments.extensions/status                   []                 []              [get list watch]
  ingresses.extensions/status                     []                 []              [get list watch]
  replicasets.extensions/status                   []                 []              [get list watch]
  nodes.metrics.k8s.io                            []                 []              [get list watch]
  pods.metrics.k8s.io                             []                 []              [get list watch]
  ingresses.networking.k8s.io/status              []                 []              [get list watch]
  poddisruptionbudgets.policy/status              []                 []              [get list watch]
  serviceaccounts                                 []                 []              [impersonate create delete deletecollection patch update get list watch]

So impersonate users is not allowed to tenant owners.

On the other side, giving impersonate users and groups permission can lead to a security issue since the tenant owner can use this capability to access resources not allowed to.

For example, if we provide as cluster admin

kubectl apply -f - << EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: impersonator
rules:
- apiGroups: [""]
  resources: ["users"]
  verbs: ["impersonate"]
EOF

kubectl apply -f - << EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: impersonator
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: impersonator
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: capsule.clastix.io
EOF

the tenant owner alice can impersonate the user joe

alice@cmp:~$ kubectl --as joe get sa -n oil-development
NAME      SECRETS   AGE
default   1         8d

At same time, she can impersonate any other user

alice@cmp:~$ kubectl --as bob get sa -n water-development
NAME      SECRETS   AGE
default   1         8d

Any idea how to solve this in a safe way would be really appreciated.

brightzheng100

comment created time in 2 days

issue commentclastix/capsule

Support Any Additional resource

@oliverbaehler thanks for suggesting this improvement. I think this will require some sort of refactoring of the code. Let's to see what @prometherion says.

oliverbaehler

comment created time in 2 days

pull request commentclastix/capsule

fix doc minor issues

Ah...that makes sense and it's been updated. Thanks

brightzheng100

comment created time in 2 days

pull request commentclastix/capsule

fix doc minor issues

@brightzheng100 I forget to mention we use conventional commit messages. Please change the commit message to something like docs: fix doc minor issues. Thanks

brightzheng100

comment created time in 2 days

PullRequestReviewEvent

PR opened clastix/capsule

fix doc minor issues

IMHO, this is the best set of docs regarding what considerations must be taken while thinking/designing multitenancy support in Kubernetes.

While walking the docs through one by one, I spotted some small issues and this is a small PR to fix all I found.

+16 -13

0 comment

4 changed files

pr created time in 2 days

startedclastix/capsule

started time in 3 days

issue openedclastix/capsule

tenant owner can't impersonate a namespace admin

<!-- Thanks for taking time reporting a Capsule bug!

We do our best to keep it reliable and working, so don't hesitate adding as many information as you can and keep in mind you can reach us on our Clastix Slack workspace: https://clastix.slack.com, #capsule channel.
-->

Bug description

The tenant owner Alice can't impersonate the namespace admin Joe assigned by her. Only Cluster Admin can do this as of now.

How to reproduce

By following the docs, the tenant owner Alice assign Joe as the namespace admin:

export KUBECONFIG=alice-oil.kubeconfig

kubectl apply -f - << EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  labels:
  name: oil-development:admin
  namespace: oil-development
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: admin
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: joe
EOF

But she can't impersonate Joe:

kubectl --as joe --as-group capsule.clastix.io auth can-i create pod -n oil-development
Error from server (Forbidden): users "joe" is forbidden: User "alice" cannot impersonate resource "users" in API group "" at the cluster scope

And only Cluster admin can.

unset KUBECONFIG
kubectl --as joe --as-group capsule.clastix.io auth can-i create pod -n oil-development
yes
kubectl --as joe --as-group capsule.clastix.io auth can-i create pod -n oil-production
no

Expected behavior

The tenant owner should be able to act like a Cluster Admin within the assigned tenant.

Additional context

  • Capsule version: v0.1.0
  • Kubernetes version: v1.21.2

created time in 3 days

fork brightzheng100/capsule

Kubernetes Operator for multi-tenancy

fork in 3 days

push eventclastix/charts

prometherion

commit sha 2bd37d8d134634de149223440395a97220c1d013

Publish capsule-proxy-0.1.4.tgz

view details

push time in 3 days

push eventclastix/capsule-proxy

Dario Tranchitella

commit sha 89987cc8a3e4b17d1012e1d2108457ac44328756

feat!: reding Capsule user groups array from CR This change marks deprecated the flag --capsule-user-group in favor of the retrieval from the CapsuleConfiguration custom resource. In case of use of the deprecated CLI flag, the CR will not be read.

view details

Dario Tranchitella

commit sha 78ca1ec9b14faf650b80c2d59529cdc525895c54

build(helm): support for CapsuleConfiguration CR

view details

Dario Tranchitella

commit sha e255222f68e31d2485a82e3a22b37743cc077f1e

docs(helm): adding capsuleConfigurationName option

view details

push time in 3 days