Comments (6)
It could but it would expose more information globally than we wanted to. SyncSets transfer per cluster certificates, identity providers, lists of dedicated admin usernames, etc. Pushing this up to a global SelectorSyncSet CRD complicates RBAC and potentially exposes us to reveal more information to someone than we wanted to. The distinction between the two offers better flexibility for RBAC in a multi-tenant use of Hive, and possibly better security as well.
from hive.
This was our original plan but I believe the determining factor was namespaced vs global. We use namespaces as a small layer of isolation for clusters as those namespaces contain account credentials and certificates. In the case of SyncSet we're tying to specific clusters and thus it made sense to have them be a namespaced CRD. At the time of writing they could contain secrets (we since have a way to break those out), but in general for per cluster content we felt it was best to isolate those into the namespace with the cluster(s) they relate to.
SelectorSyncSet on the other hand we wanted to be a global resource as they typically span many or all clusters in all namespaces. We could do that with some kind of implicit rule like they live in the Hive namespace, but at the time we discussed it felt best to separate them given the differences in their scope.
from hive.
cc @csrwng @twiest in case I'm misremembering any of that.
from hive.
No, that's correct. We wanted SyncSets to be a namespaced resource because it's associated with a cluster deployment in a specific namespace. SelectorSyncSets can apply to cluster deployments across many namespaces therefore they are a cluster-scoped CRD
from hive.
Thanks @dgoodwin and @csrwng , but I think the SelectorSyncSet
should be able to cover the case of SyncSet
?
from hive.
@dgoodwin this make sense, thanks!
from hive.
Related Issues (20)
- Azure: When using Managed DNS Hive fails to find a SOA record HOT 7
- What is the difference between hive and hypershift HOT 4
- aws: default volume settings are invalid on 4.11 (installer failed to load install config) HOT 2
- Can I specify the clustermetadata in clusterdeployment spec HOT 2
- Missing ServiceMonitor CRD when running in Kind HOT 1
- No automatic secrets for Service Accounts in Kubernetes 1.24 HOT 2
- Error "Required value: must specify a platform" for field "spec.platform". HOT 2
- Internal Install using Private Link - Logs HOT 6
- hive upgrade to 1.1.6 is expecting CRD API version to be v1beta instead of v1 HOT 5
- Ability to Override httpCustomErrorCodePages in ClusterDeployment HOT 7
- Implement Openstack Hibernation HOT 9
- Pass skip_provider_registration flag HOT 2
- How to make Hive trust new API cert in managed cluster? HOT 6
- Hive Cluster Relocation is stuck on kube-root-ca.crt and openshift-service-ca.crt already exists HOT 5
- Rotating the admin kubeconfig after 10 years HOT 6
- Install fails on ClusterRoleBinding HOT 7
- Consider tagging submodule "apis"? HOT 2
- How if Hive released? HOT 1
- ClusterClaim-controller should watch for changes to RoleBindings as well HOT 1
- ClusterSync-controller's requeueAfter duration could be insufficient HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from hive.