Restrict controller deploy namespace

Question

Restrict controller deploy namespace

josephferrero opened this issue 2 years ago · 7 comments

Hello,

Is it possible to restrict where the controller can deploy resources? I understand that a namespace deployment will only monitor CRDs in the namespace, however it seems I can set the target namespace to whatever I want including kube-system. I've tried adjusting the service account attached to the controller deployment, but it doesn't seem to have any effect on which namespaces it can create resources in.

Thanks,
Joseph

Answer 1 · 2022-06-24T20:33:19.000Z

@brandond - Can you assist on this? I am trying to determine how I can limit the target namespace for the helm-controller. Somehow I can target any namespace despite the service account I am using not having permissions in other namespaces. A new SA is created in the target namespace as well, and I am not sure how this is happening since again the SA I am using does not have permissions in other namespaces.

Answer 2 · 2022-06-27T18:42:55.000Z

Hmm, yeah that is an interesting question. I suspect that perhaps the current RBAC is set up such that SA has access to all namespaces, instead of just the one monitored by the controller. Restricting the target namespace to either just the monitored namespace, or a provided list of namespaces, would be a good feature request.

Answer 3 · 2022-06-28T15:56:40.000Z

@brandond - Thanks for your response! One more question in the same vein. Rancher deploys the Traefik proxy utilizing a helm chart before I have deployed a Helm controller in any namespace. The Rancher docs say that "K3s includes a Helm Controller that manages Helm charts using a HelmChart Custom Resource Definition (CRD)."

My question is, which Helm Controller is being used to deploy this? I don't see any Helm Controller pod, so I am confused how it's being deployed.

Answer 4 · 2022-06-28T17:24:45.000Z

K3s embeds etcd, the core Kubernetes control-plane components, and several additional controllers (including the one from this project) in the main k3s binary.

Answer 5 · 2022-06-28T17:25:45.000Z

Ah! Thank you @brandond.

Answer 6 · 2022-06-28T23:55:36.000Z

@brandond - I think that since this is already embedded in k3s, the embedded helm controller is overriding the namespaced helm controller I am deploying. I am assuming the helm controller that comes baked in is likely scoped to the cluster, and so its monitoring CRDs in all namespace. Is that correct?

Answer 7 · 2022-06-28T23:58:21.000Z

that is correct. On recent releases, you can start k3s with --disable-helm-controller if you want to turn it off.