diff --git a/content/changelog.md b/content/changelog.md index 4acdad1b2..c3c2324ad 100644 --- a/content/changelog.md +++ b/content/changelog.md @@ -28,7 +28,7 @@ - Started to support Kubernetes along with OpenShift as platform type. - Support of MTO's PostgreSQL instance as persistent storage for keycloak. -- Added `kube:admin` as default cluster admin within MTO. +- `kube:admin` is now bypassed by default to perform operations, earlier `kube:admin` needed to be mentioned in respective tenants to give it access over namespaces. ## v0.9.x diff --git a/content/faq.md b/content/faq.md index 0435e5e47..90ae4fad1 100644 --- a/content/faq.md +++ b/content/faq.md @@ -1,13 +1,44 @@ # FAQs -## Q. Error received while performing Create, Update or Delete action on namespace `"Cannot CREATE namespace test-john without label stakater.com/tenant"` +## Namespace Admission Webhook -**A.** Error occurs when a user is trying to perform create, update, delete action on a namespace without the required `stakater.com/tenant` label. This label is used by the operator to see that authorized users can perform that action on the namespace. Just add the label with the tenant name so that MTO knows which tenant the namespace belongs to, and who is authorized to perform create/update/delete operations. For more details please refer to [Namespace use-case](./tutorials/tenant/creating-namespaces.md). +### Q. Error received while performing Create, Update or Delete action on Namespace -## Q. How do I deploy cluster-scoped resource via the ArgoCD integration? +```terminal +Cannot CREATE namespace test-john without label stakater.com/tenant +``` -**A.** Multi-Tenant Operator's ArgoCD Integration allows configuration of which cluster-scoped resources can be deployed, both globally and on a per-tenant basis. For a global allow-list that applies to all tenants, you can add both resource `group` and `kind` to the [IntegrationConfig's](./how-to-guides/integration-config.md#argocd) `spec.argocd.clusterResourceWhitelist` field. Alternatively, you can set this up on a tenant level by configuring the same details within a [Tenant's](./how-to-guides/tenant.md) `spec.argocd.appProject.clusterResourceWhitelist` field. For more details, check out the [ArgoCD integration use cases](./tutorials/argocd/enabling-multi-tenancy-argocd.md#allow-argocd-to-sync-certain-cluster-wide-resources) +**Answer.** Error occurs when a user is trying to perform create, update, delete action on a namespace without the required `stakater.com/tenant` label. This label is used by the operator to see that authorized users can perform that action on the namespace. Just add the label with the tenant name so that MTO knows which tenant the namespace belongs to, and who is authorized to perform create/update/delete operations. For more details please refer to [Namespace use-case](./tutorials/tenant/creating-namespaces.md). + +### Q. Error received while performing Create, Update or Delete action on OpenShift Project + +```terminal +Cannot CREATE namespace testing without label stakater.com/tenant. User: system:serviceaccount:openshift-apiserver:openshift-apiserver-sa +``` + +**Answer.** This error occurs because we don't allow Tenant members to do operations on OpenShift Project, whenever an operation is done on a project, `openshift-apiserver-sa` tries to do the same request onto a namespace. That's why the user sees `openshift-apiserver-sa` Service Account instead of its own user in the error message. + +The fix is to try the same operation on the namespace manifest instead. + +### Q. Error received while doing "kubectl apply -f namespace.yaml" + +```terminal +Error from server (Forbidden): error when retrieving current configuration of: +Resource: "/v1, Resource=namespaces", GroupVersionKind: "/v1, Kind=Namespace" +Name: "ns1", Namespace: "" +from server for: "namespace.yaml": namespaces "ns1" is forbidden: User "muneeb" cannot get resource "namespaces" in API group "" in the namespace "ns1" +``` + +**Answer.** Tenant members will not be able to use `kubectl apply` because `apply` first gets all the instances of that resource, in this case namespaces, and then does the required operation on the selected resource. To maintain tenancy, tenant members do not the access to get or list all the namespaces. + +The fix is to create namespaces with `kubectl create` instead. + +## MTO - ArgoCD Integration + +### Q. How do I deploy cluster-scoped resource via the ArgoCD integration? + +**Answer.** Multi-Tenant Operator's ArgoCD Integration allows configuration of which cluster-scoped resources can be deployed, both globally and on a per-tenant basis. For a global allow-list that applies to all tenants, you can add both resource `group` and `kind` to the [IntegrationConfig's](./how-to-guides/integration-config.md#argocd) `spec.argocd.clusterResourceWhitelist` field. Alternatively, you can set this up on a tenant level by configuring the same details within a [Tenant's](./how-to-guides/tenant.md) `spec.argocd.appProject.clusterResourceWhitelist` field. For more details, check out the [ArgoCD integration use cases](./tutorials/argocd/enabling-multi-tenancy-argocd.md#allow-argocd-to-sync-certain-cluster-wide-resources) ## Q. InvalidSpecError: application repo \ is not permitted in project \ -**A.** The above error can occur if the ArgoCD Application is syncing from a source that is not allowed the referenced AppProject. To solve this, verify that you have referred to the correct project in the given ArgoCD Application, and that the repoURL used for the Application's source is valid. If the error still appears, you can add the URL to the relevant Tenant's `spec.argocd.sourceRepos` array. +**Answer.** The above error can occur if the ArgoCD Application is syncing from a source that is not allowed the referenced AppProject. To solve this, verify that you have referred to the correct project in the given ArgoCD Application, and that the repoURL used for the Application's source is valid. If the error still appears, you can add the URL to the relevant Tenant's `spec.argocd.sourceRepos` array. diff --git a/content/how-to-guides/integration-config.md b/content/how-to-guides/integration-config.md index 661c80d3d..8ecc07fa4 100644 --- a/content/how-to-guides/integration-config.md +++ b/content/how-to-guides/integration-config.md @@ -7,7 +7,7 @@ apiVersion: tenantoperator.stakater.com/v1alpha1 kind: IntegrationConfig metadata: name: tenant-operator-config - namespace: stakater-tenant-operator + namespace: multi-tenant-operator spec: tenantRoles: default: diff --git a/content/integration-config.md b/content/integration-config.md index 6a1842751..e1cccc312 100644 --- a/content/integration-config.md +++ b/content/integration-config.md @@ -7,7 +7,7 @@ apiVersion: tenantoperator.stakater.com/v1alpha1 kind: IntegrationConfig metadata: name: tenant-operator-config - namespace: stakater-tenant-operator + namespace: multi-tenant-operator spec: tenantRoles: default: @@ -253,6 +253,9 @@ users: `clusterAdminGroups:` Contains names of the groups that are allowed to perform CRUD operations on namespaces present on the cluster. Users in the specified group(s) will be able to perform these operations without MTO getting in their way +!!! note + User `kube:admin` is bypassed by default to perform operations as a cluster admin, this includes operations on all the namespaces. + ### Privileged Namespaces `privilegedNamespaces:` Contains the list of `namespaces` ignored by MTO. MTO will not manage the `namespaces` in this list. Values in this list are regex patterns. diff --git a/content/reference-guides/configuring-multitenant-network-isolation.md b/content/reference-guides/configuring-multitenant-network-isolation.md index 9b3eff12a..0d508d184 100644 --- a/content/reference-guides/configuring-multitenant-network-isolation.md +++ b/content/reference-guides/configuring-multitenant-network-isolation.md @@ -55,7 +55,7 @@ apiVersion: tenantoperator.stakater.com/v1alpha1 kind: IntegrationConfig metadata: name: tenant-operator-config - namespace: stakater-tenant-operator + namespace: multi-tenant-operator spec: openshift: project: diff --git a/content/reference-guides/custom-roles.md b/content/reference-guides/custom-roles.md index b7304959c..1af4184f1 100644 --- a/content/reference-guides/custom-roles.md +++ b/content/reference-guides/custom-roles.md @@ -9,7 +9,7 @@ apiVersion: tenantoperator.stakater.com/v1alpha1 kind: IntegrationConfig metadata: name: tenant-operator-config - namespace: stakater-tenant-operator + namespace: multi-tenant-operator spec: tenantRoles: default: @@ -35,7 +35,7 @@ apiVersion: tenantoperator.stakater.com/v1alpha1 kind: IntegrationConfig metadata: name: tenant-operator-config - namespace: stakater-tenant-operator + namespace: multi-tenant-operator spec: tenantRoles: default: diff --git a/content/reference-guides/integrationconfig.md b/content/reference-guides/integrationconfig.md index fe34081e7..d47592224 100644 --- a/content/reference-guides/integrationconfig.md +++ b/content/reference-guides/integrationconfig.md @@ -18,7 +18,7 @@ apiVersion: tenantoperator.stakater.com/v1alpha1 kind: IntegrationConfig metadata: name: tenant-operator-config - namespace: stakater-tenant-operator + namespace: multi-tenant-operator spec: openshift: privilegedNamespaces: @@ -44,7 +44,7 @@ apiVersion: tenantoperator.stakater.com/v1alpha1 kind: IntegrationConfig metadata: name: tenant-operator-config - namespace: stakater-tenant-operator + namespace: multi-tenant-operator spec: openshift: privilegedServiceAccounts: @@ -62,7 +62,7 @@ apiVersion: tenantoperator.stakater.com/v1alpha1 kind: IntegrationConfig metadata: name: tenant-operator-config - namespace: stakater-tenant-operator + namespace: multi-tenant-operator spec: openshift: privilegedServiceAccounts: @@ -85,7 +85,7 @@ apiVersion: tenantoperator.stakater.com/v1alpha1 kind: IntegrationConfig metadata: name: tenant-operator-config - namespace: stakater-tenant-operator + namespace: multi-tenant-operator spec: vault: enabled: true diff --git a/content/tutorials/argocd/enabling-multi-tenancy-argocd.md b/content/tutorials/argocd/enabling-multi-tenancy-argocd.md index b4e71bf29..06d86c908 100644 --- a/content/tutorials/argocd/enabling-multi-tenancy-argocd.md +++ b/content/tutorials/argocd/enabling-multi-tenancy-argocd.md @@ -31,7 +31,7 @@ apiVersion: tenantoperator.stakater.com/v1alpha1 kind: IntegrationConfig metadata: name: tenant-operator-config - namespace: stakater-tenant-operator + namespace: multi-tenant-operator spec: ... argocd: @@ -138,7 +138,7 @@ apiVersion: tenantoperator.stakater.com/v1alpha1 kind: IntegrationConfig metadata: name: tenant-operator-config - namespace: stakater-tenant-operator + namespace: multi-tenant-operator spec: ... argocd: @@ -178,7 +178,7 @@ apiVersion: tenantoperator.stakater.com/v1alpha1 kind: IntegrationConfig metadata: name: tenant-operator-config - namespace: stakater-tenant-operator + namespace: multi-tenant-operator spec: ... argocd: diff --git a/content/usecases/argocd.md b/content/usecases/argocd.md index 7c0f2fad8..219ab84f4 100644 --- a/content/usecases/argocd.md +++ b/content/usecases/argocd.md @@ -9,7 +9,7 @@ apiVersion: tenantoperator.stakater.com/v1alpha1 kind: IntegrationConfig metadata: name: tenant-operator-config - namespace: stakater-tenant-operator + namespace: multi-tenant-operator spec: ... argocd: @@ -116,7 +116,7 @@ apiVersion: tenantoperator.stakater.com/v1alpha1 kind: IntegrationConfig metadata: name: tenant-operator-config - namespace: stakater-tenant-operator + namespace: multi-tenant-operator spec: ... argocd: @@ -156,7 +156,7 @@ apiVersion: tenantoperator.stakater.com/v1alpha1 kind: IntegrationConfig metadata: name: tenant-operator-config - namespace: stakater-tenant-operator + namespace: multi-tenant-operator spec: ... argocd: diff --git a/content/usecases/configuring-multitenant-network-isolation.md b/content/usecases/configuring-multitenant-network-isolation.md index d53ae7747..8d751f3c3 100644 --- a/content/usecases/configuring-multitenant-network-isolation.md +++ b/content/usecases/configuring-multitenant-network-isolation.md @@ -55,7 +55,7 @@ apiVersion: tenantoperator.stakater.com/v1alpha1 kind: IntegrationConfig metadata: name: tenant-operator-config - namespace: stakater-tenant-operator + namespace: multi-tenant-operator spec: openshift: project: diff --git a/content/usecases/custom-roles.md b/content/usecases/custom-roles.md index d61e86625..ace50dc37 100644 --- a/content/usecases/custom-roles.md +++ b/content/usecases/custom-roles.md @@ -9,7 +9,7 @@ apiVersion: tenantoperator.stakater.com/v1alpha1 kind: IntegrationConfig metadata: name: tenant-operator-config - namespace: stakater-tenant-operator + namespace: multi-tenant-operator spec: tenantRoles: default: @@ -35,7 +35,7 @@ apiVersion: tenantoperator.stakater.com/v1alpha1 kind: IntegrationConfig metadata: name: tenant-operator-config - namespace: stakater-tenant-operator + namespace: multi-tenant-operator spec: tenantRoles: default: diff --git a/content/usecases/integrationconfig.md b/content/usecases/integrationconfig.md index 1429e756d..b066ee193 100644 --- a/content/usecases/integrationconfig.md +++ b/content/usecases/integrationconfig.md @@ -18,7 +18,7 @@ apiVersion: tenantoperator.stakater.com/v1alpha1 kind: IntegrationConfig metadata: name: tenant-operator-config - namespace: stakater-tenant-operator + namespace: multi-tenant-operator spec: openshift: privilegedNamespaces: @@ -44,7 +44,7 @@ apiVersion: tenantoperator.stakater.com/v1alpha1 kind: IntegrationConfig metadata: name: tenant-operator-config - namespace: stakater-tenant-operator + namespace: multi-tenant-operator spec: openshift: privilegedServiceAccounts: @@ -62,7 +62,7 @@ apiVersion: tenantoperator.stakater.com/v1alpha1 kind: IntegrationConfig metadata: name: tenant-operator-config - namespace: stakater-tenant-operator + namespace: multi-tenant-operator spec: openshift: privilegedServiceAccounts: @@ -85,7 +85,7 @@ apiVersion: tenantoperator.stakater.com/v1alpha1 kind: IntegrationConfig metadata: name: tenant-operator-config - namespace: stakater-tenant-operator + namespace: multi-tenant-operator spec: vault: enabled: true