devtron icon indicating copy to clipboard operation
devtron copied to clipboard
verified publisher icon devtron-labs

Feature: Support for Hierarchical Namespaces(HNC)

Open meldsza opened this issue 2 years ago • 1 comments

🔖 Feature description

Hierarchical namespaces are a new concept developed by the Kubernetes Working Group for Multi-Tenancy (wg-multitenancy). In its simplest form, a hierarchical namespace is a regular Kubernetes namespace that contains a small custom resource that identifies a single, optional, parent namespace. This establishes the concept of ownership across namespaces, not just within them.

Devtron currently allows us to give access to certain namespaces in the cluster. However, it does not keep track of hierarchical namespaces. Say for example, the given namespace hierarchicy is defined

image

Currently, If I want to give access to a user to namespaces for Team 1, I need to give access to all the sub-namespaces under that Team as well. If Devtron honors hierarchical namespaces, I could just give access to Team 1 namespace and it would grant access to Team 1 and all the associated namespaces under it.

🎤 Pitch / Usecases

This feature is really useful in a corporate settings with shared clusters. I can give access to specific parent namespaces to specific teams and the teams would be free to manage their application namespace segregation however they require.

🔄️ Alternative

The current workaround is manually associating each namespace under a parent namespace to the user which is:

  1. Tedious
  2. If a new namespace is added, it requires the admin to associate the new namespace to the user.

👀 Have you spent some time to check if this issue has been raised before?

  • [X] I checked and didn't find similar issue

🏢 Have you read the Code of Conduct?

AB#8101

meldsza avatar Jan 17 '24 17:01 meldsza

Alternatively, I would like to see a feature where I can give permissions for all namespaces matching a label selector. (instead of a single namespace)

It would work for most deployments of HNC (assuming only one level of HNC is involved per organization), and also would render to many other use cases.

(I believe membership of any HNC ancestor namespace can be detected using presence of <parent>.tree.hnc.x-k8s.io/depth label - which means a label selector without value should be able to match all indirect children as well. I have to verify this hypothesis)

mbhegde-orcl avatar Feb 07 '24 05:02 mbhegde-orcl