Comments (4)
LukasGentele
commented on May 26, 2024
@d-m you can use regular RBAC for this. In the spec.space.clusterRole of every Account (see "Deletable Spaces" example in the readme). You can define the ClusterRole that kiosk uses to create the RoleBinding for the user to be able to manage resources in the namespaces created with this account. You can copy the kiosk default ClusterRole and change it so that users will not be able to manipulate NetworkPolicies.
Does that solve your issue?
from kiosk.
d-m
commented on May 26, 2024
Unfortunately no. We still want tenants to be able to manage their own NetworkPolicy objects since some need to be able to manage egress for their applications. I think we may end up looking at different SDN options for tenant isolation.
from kiosk.
FabianKramm
commented on May 26, 2024
@d-m you can still allow everything besides deleting NetworkPolicies via RBAC, but I guess in your case it would make sense to look at something like gatekeeper or kyverno that allow you to define custom policies who can delete what in addition to what kiosk does.
from kiosk.
FabianKramm
commented on May 26, 2024
I'm closing this issue, since policies are not in the scope of kiosk and there are already other projects covering this.
from kiosk.
Related Issues (20)
- Option to choose namespace destination for helm chart HOT 10
- Is redundant code?
- Account: Allow to apply custom label/annotation on namespace HOT 2
- kubens support HOT 5
- Access problem need help HOT 2
- Kiosk server port is not configurable HOT 1
- Delete Account doesn't delete the underline spaces HOT 2
- unable to retrieve the complete list of server APIs: tenancy.kiosk.sh/v1alpha1 HOT 2
- Kiosk restarted several times HOT 3
- Spaces can not properly be created by ArgoCD, resources show as OutOfSync HOT 6
- Hey is it possible/ how to use kiosk with saml2-based ADFS ? HOT 1
- Account spaceTemplate is not reconciled HOT 3
- Unsupport kubernetes server-side apply HOT 1
- Changing label in namespace doesn't update rolebinding
- Question: How to setup in existing cluster - Namespace migration HOT 3
- accountquotas resources cannot be edited after upgrade k8s to 1.22 HOT 2
- Unable to create template instance with parameters HOT 1
- Can map exists namespace in k8s cluster to new space? HOT 1
- can kiosk deploy's Replicas more than one? HOT 4
- Debug Mode to see failed rendered chart? HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from kiosk.