https://github.com/moolen/att1c

https://github.com/moolen/att1c

Last synced: 11 days ago
JSON representation

• Host: GitHub
• URL: https://github.com/moolen/att1c
• Owner: moolen
• Created: 2021-02-13T21:17:43.000Z (over 5 years ago)
• Default Branch: master
• Last Pushed: 2021-02-14T00:23:35.000Z (over 5 years ago)
• Last Synced: 2025-02-23T19:46:32.016Z (over 1 year ago)
• Language: Shell
• Size: 21.5 KB
• Stars: 0
• Watchers: 2
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

README

          
# flux v2 multi-tenancy

Evaluation of tenant-isolation by enforcing `spec.ServiceAccountName` on `Kind=Kustomization` and `Kind=HelmRelease`.

## use-case

Development Teams should have an easy to use self-service interface to register new tenants in a platform. This is a PoC of using a simple helm chart to automate the RBAC/Namespace creation. But onboarding a team usually needs more work. E.g.:

- pin workloads to certain worker-group

- add annotations and labels

- networking segmentation

- monitoring/alerting/logging integration

- generate policies for this particular namespace

```yaml

# this is not implemented, this is a

# rough outline how it could look like

teams:

- namespace: "tenant-a-preview"

  environment: "preview"

  # network segmentation

  network:

    zone: "tenant" # or `system` or `shared-services`

    egress: true # egress traffic is allowed

    sharing: true # allowed to share services with other namespaces

  # alerting configuration

  alerting:

    teams: "http://xxx.yy.zz"

    email:

    - address: oncall@acme.org

      severity: critical

  # monitoring configuration

  monitoring:

    cloudwatch: true

    services: ["RDS"]

  # logging configuration

  logging:

    tenant: "default"

  # OPA/KYVERNO policy generation

  policies:

    allowed_ingress_zone: a.dev.acme.org

  repo:

    url: https://github.com/moolen/att1c-tenant

    path: "./dev/"

```