diff --git a/README.md b/README.md index a482071a..f266dd86 100644 --- a/README.md +++ b/README.md @@ -224,11 +224,14 @@ To enforce tenant isolation, cluster admins must configure Flux to reconcile the `Kustomization` and `HelmRelease` kinds by impersonating a service account from the namespace where these objects are created. -[Flux v0.26] introduced built-in [multi-tenancy lockdown] features which enables tenant isolation +Flux has built-in [multi-tenancy lockdown] features which enables tenant isolation at Control Plane level without the need of external admission controllers (e.g. Kyverno). The recommended patch: - Enforce controllers to block cross namespace references. + Meaning that a tenant can’t use another tenant’s sources or subscribe to their events. +- Deny accesses to Kustomize remote bases, thus ensuring all resources refer to local files. + Meaning that only approved Flux Sources can affect the cluster-state. - Sets a default service account via `--default-service-account` to `kustomize-controller` and `helm-controller`. Meaning that, if a tenant does not specify a service account in a Flux `Kustomization` or `HelmRelease`, it would automatically default to said account. @@ -243,19 +246,26 @@ This repository applies this patch automatically via apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- gotk-components.yaml -- gotk-sync.yaml + - gotk-components.yaml + - gotk-sync.yaml patches: - patch: | - op: add - path: /spec/template/spec/containers/0/args/0 + path: /spec/template/spec/containers/0/args/- value: --no-cross-namespace-refs=true target: kind: Deployment name: "(kustomize-controller|helm-controller|notification-controller|image-reflector-controller|image-automation-controller)" - patch: | - op: add - path: /spec/template/spec/containers/0/args/0 + path: /spec/template/spec/containers/0/args/- + value: --no-remote-bases=true + target: + kind: Deployment + name: "kustomize-controller" + - patch: | + - op: add + path: /spec/template/spec/containers/0/args/- value: --default-service-account=default target: kind: Deployment @@ -362,7 +372,6 @@ Other policies to explore: - For `HelmRepository` and `GitRepository` consider which protocols should be allowed. - For `Bucket`, consider restrictions on providers and regions. - #### Make serviceAccountName mandatory The lockdown patch sets a default service account that is applied to any `Kustomization` and `HelmRelease` @@ -602,5 +611,4 @@ This repository contains the following GitHub CI workflows: and tests the staging setup by running Flux in Kubernetes Kind -[Flux v0.26]: https://github.com/fluxcd/flux2/releases/tag/v0.26.0 [multi-tenancy lockdown]: https://fluxcd.io/flux/installation/configuration/multitenancy/ diff --git a/clusters/production/flux-system/kustomization.yaml b/clusters/production/flux-system/kustomization.yaml index 8e1e9090..9086dbe0 100644 --- a/clusters/production/flux-system/kustomization.yaml +++ b/clusters/production/flux-system/kustomization.yaml @@ -1,19 +1,26 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- gotk-components.yaml -- gotk-sync.yaml + - gotk-components.yaml + - gotk-sync.yaml patches: - patch: | - op: add - path: /spec/template/spec/containers/0/args/0 + path: /spec/template/spec/containers/0/args/- value: --no-cross-namespace-refs=true target: kind: Deployment name: "(kustomize-controller|helm-controller|notification-controller|image-reflector-controller|image-automation-controller)" - patch: | - op: add - path: /spec/template/spec/containers/0/args/0 + path: /spec/template/spec/containers/0/args/- + value: --no-remote-bases=true + target: + kind: Deployment + name: "kustomize-controller" + - patch: | + - op: add + path: /spec/template/spec/containers/0/args/- value: --default-service-account=default target: kind: Deployment diff --git a/clusters/staging/flux-system/kustomization.yaml b/clusters/staging/flux-system/kustomization.yaml index 8e1e9090..9086dbe0 100644 --- a/clusters/staging/flux-system/kustomization.yaml +++ b/clusters/staging/flux-system/kustomization.yaml @@ -1,19 +1,26 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- gotk-components.yaml -- gotk-sync.yaml + - gotk-components.yaml + - gotk-sync.yaml patches: - patch: | - op: add - path: /spec/template/spec/containers/0/args/0 + path: /spec/template/spec/containers/0/args/- value: --no-cross-namespace-refs=true target: kind: Deployment name: "(kustomize-controller|helm-controller|notification-controller|image-reflector-controller|image-automation-controller)" - patch: | - op: add - path: /spec/template/spec/containers/0/args/0 + path: /spec/template/spec/containers/0/args/- + value: --no-remote-bases=true + target: + kind: Deployment + name: "kustomize-controller" + - patch: | + - op: add + path: /spec/template/spec/containers/0/args/- value: --default-service-account=default target: kind: Deployment