From e0ca92ee4772fd3fe92ecd6bdf8760a4fa261ec0 Mon Sep 17 00:00:00 2001 From: bnallapeta Date: Fri, 15 Sep 2023 15:53:28 +0530 Subject: [PATCH 1/5] Add more details on privilegedNamespaces and clusteradmingroups --- content/integration-config.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/content/integration-config.md b/content/integration-config.md index 6a1842751..a04198445 100644 --- a/content/integration-config.md +++ b/content/integration-config.md @@ -251,11 +251,13 @@ users: ### Cluster Admin Groups -`clusterAdminGroups:` Contains names of the groups that are allowed to perform CRUD operations on namespaces present on the cluster. Users in the specified group(s) will be able to perform these operations without MTO getting in their way +`clusterAdminGroups:` Contains names of the groups that are allowed to perform CRUD operations on namespaces present on the cluster. Users in the specified group(s) will be able to perform these operations without MTO getting in their way. MTO does not interfere even with the deletion of privilegedNamespaces. + +Note: An edge case however is when you have a user containing ':' (eg: kube:admin or kube:masters), in which case, it is a platform problem in that it doesn't allow us to add such users to the group. So, even when you have logged in as kube:admin, you might not be able to delete the privilegedNamespaces due to this reason. ### Privileged Namespaces -`privilegedNamespaces:` Contains the list of `namespaces` ignored by MTO. MTO will not manage the `namespaces` in this list. Values in this list are regex patterns. +`privilegedNamespaces:` Contains the list of `namespaces` ignored by MTO. MTO will not manage the `namespaces` in this list. Treatment for privileged namespaces does not involve further integrations or finalizers processing as with normal namespaces. Values in this list are regex patterns. For example: - To ignore the `default` namespace, we can specify `^default$` From 4f3c9d600cc26b178c9cfe832168fda8d50e4132 Mon Sep 17 00:00:00 2001 From: bnallapeta Date: Fri, 15 Sep 2023 16:11:54 +0530 Subject: [PATCH 2/5] pipeline lint comments --- content/integration-config.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/integration-config.md b/content/integration-config.md index a04198445..b1ddb9946 100644 --- a/content/integration-config.md +++ b/content/integration-config.md @@ -251,9 +251,9 @@ users: ### Cluster Admin Groups -`clusterAdminGroups:` Contains names of the groups that are allowed to perform CRUD operations on namespaces present on the cluster. Users in the specified group(s) will be able to perform these operations without MTO getting in their way. MTO does not interfere even with the deletion of privilegedNamespaces. +`clusterAdminGroups:` Contains names of the groups that are allowed to perform CRUD operations on namespaces present on the cluster. Users in the specified group(s) will be able to perform these operations without MTO getting in their way. MTO does not interfere even with the deletion of privilegedNamespaces. -Note: An edge case however is when you have a user containing ':' (eg: kube:admin or kube:masters), in which case, it is a platform problem in that it doesn't allow us to add such users to the group. So, even when you have logged in as kube:admin, you might not be able to delete the privilegedNamespaces due to this reason. +Note: An edge case however is when you have a user containing `:` (eg: `kube:admin` or `kube:masters`), in which case, it is a platform problem in that it doesn't allow us to add such users to the group. So, even when you have logged in as `kube:admin`, you might not be able to delete the privilegedNamespaces due to this reason. ### Privileged Namespaces From 9399caee4478b519f5c3d479e9dc9ae1b99f54aa Mon Sep 17 00:00:00 2001 From: bnallapeta Date: Wed, 6 Dec 2023 09:02:53 +0530 Subject: [PATCH 3/5] removed eg --- content/integration-config.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/integration-config.md b/content/integration-config.md index b1ddb9946..4de0a1392 100644 --- a/content/integration-config.md +++ b/content/integration-config.md @@ -253,7 +253,7 @@ users: `clusterAdminGroups:` Contains names of the groups that are allowed to perform CRUD operations on namespaces present on the cluster. Users in the specified group(s) will be able to perform these operations without MTO getting in their way. MTO does not interfere even with the deletion of privilegedNamespaces. -Note: An edge case however is when you have a user containing `:` (eg: `kube:admin` or `kube:masters`), in which case, it is a platform problem in that it doesn't allow us to add such users to the group. So, even when you have logged in as `kube:admin`, you might not be able to delete the privilegedNamespaces due to this reason. +Note: An edge case however is when you have a user containing `:` (`kube:admin` or `kube:masters`), in which case, it is a platform problem in that it doesn't allow us to add such users to the group. So, even when you have logged in as `kube:admin`, you might not be able to delete the privilegedNamespaces due to this reason. ### Privileged Namespaces From f37e7c54764de0c844b2d62d533bd6e713cbd8c5 Mon Sep 17 00:00:00 2001 From: bnallapeta Date: Wed, 6 Dec 2023 14:44:24 +0530 Subject: [PATCH 4/5] updated vocabulary commit --- vocabulary | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vocabulary b/vocabulary index 6df794427..5e5fd5928 160000 --- a/vocabulary +++ b/vocabulary @@ -1 +1 @@ -Subproject commit 6df79442723244b60287235a6319d5d422c0b8b0 +Subproject commit 5e5fd5928e6656037a67be50c968e8011f7ca1eb From 1e8949f357f7a4748c292354d1b3468d822b2055 Mon Sep 17 00:00:00 2001 From: Bharath Nallapeta Date: Wed, 6 Dec 2023 16:57:16 +0530 Subject: [PATCH 5/5] Remove a note on kube:admin as it is not relevant anymore --- content/integration-config.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/content/integration-config.md b/content/integration-config.md index 4de0a1392..0d2dc029c 100644 --- a/content/integration-config.md +++ b/content/integration-config.md @@ -253,8 +253,6 @@ users: `clusterAdminGroups:` Contains names of the groups that are allowed to perform CRUD operations on namespaces present on the cluster. Users in the specified group(s) will be able to perform these operations without MTO getting in their way. MTO does not interfere even with the deletion of privilegedNamespaces. -Note: An edge case however is when you have a user containing `:` (`kube:admin` or `kube:masters`), in which case, it is a platform problem in that it doesn't allow us to add such users to the group. So, even when you have logged in as `kube:admin`, you might not be able to delete the privilegedNamespaces due to this reason. - ### Privileged Namespaces `privilegedNamespaces:` Contains the list of `namespaces` ignored by MTO. MTO will not manage the `namespaces` in this list. Treatment for privileged namespaces does not involve further integrations or finalizers processing as with normal namespaces. Values in this list are regex patterns.