Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Separate Operator per each Controller? Let's talk. #706

Open
dee-kryvenko opened this issue Jan 31, 2022 · 4 comments
Open

Separate Operator per each Controller? Let's talk. #706

dee-kryvenko opened this issue Jan 31, 2022 · 4 comments

Comments

@dee-kryvenko
Copy link

I just ran into this comment #250 (comment) from @tomaszsek, that basically makes a recommendation to have separate operator per each controller. This really sounds like an anti-pattern and this is not what other operators like Prometheus Operator or Redis Operator do or recommend. Not to mention that each operator registers itself as an admission controller...

In a typical CI/CD implementation in a shared K8s environment, most typical roles would include:

  1. Cluster admins
  2. Operator admins
  3. Controller admins
  4. Job admins
  5. Developers

Obviously, not necessarily that these five are all different people physically - some of these roles might be shared by same teams, and some - be a self-service automation. However, with the current implementation - separation of privileges, wether it is in between people or automation, looks broken to me.

  1. Operator admins should not be able to deploy CRDs and register admission controllers.
  2. Job admins should not be able to configure build pods to use controller SA, as job admins should not necessarily be able to read controller secrets and should not be able to tamper with controller pod.

With that said - to me the most optimal, the most secure, and the most flexible topology would be to have one shared operator in the cluster, each controller in its own separate namespace, which in turn each use one more namespace designated to just build pods.

Although I can see some might want to have more than one operator to watch groups of namespaces instead of a single ns per operator as it is now - but that'd require admission controller to be separated as operator admins would typically not have permissions to deploy it. Not to mention multiple instances of the same admission controller registered as a separate webhooks each sounds like too much overhead for the control plane and can potentially lead to performance degradation in the cluster.

@prryb
Copy link
Collaborator

prryb commented Feb 7, 2022

Hi! Thank you for your message. I do see your point.

When that comment was made, there were no admission controllers. That has changed since that time, that's true. There were some efforts made so that you don't need to have cluster admin permissions to run the operator in a namespace.

It was easier development-wise, to focus on watching one namespace, one Jenkins, etc and there were no strong enough arguments to try to change that.

Now, I think, might be a good time to reconsider that. I'd say making that change (so that one operator supports multiple Jenkins instances) is doable.

@stale
Copy link

stale bot commented Apr 16, 2022

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. If this issue is still affecting you, just comment with any updates and we'll keep it open. Thank you for your contributions.

@stale stale bot added the stale label Apr 16, 2022
@brokenpip3 brokenpip3 added this to the 0.10 milestone Mar 1, 2023
@stale stale bot removed the stale label Mar 1, 2023
@github-actions github-actions bot added the stale label May 8, 2023
@github-actions github-actions bot closed this as not planned Won't fix, can't repro, duplicate, stale May 19, 2023
@TueDissingWork
Copy link

This is still very relevant - any reason this issue have been closed, other than no activity?

@brokenpip3 brokenpip3 reopened this Aug 16, 2023
@brokenpip3
Copy link
Collaborator

I added the right label but I forgot to re-open it

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

4 participants