mirror of
https://github.com/fluxcd/flux2.git
synced 2026-02-25 00:51:48 +00:00
Add network policies reference
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
This commit is contained in:
Stefan Prodan
parent
a46f4e36cf
commit
43372a9ac7
1 changed files with 9 additions and 1 deletions
|
|
@ -5,9 +5,17 @@
|
||||||
Cross-namespace references to Flux sources should be subject to
|
Cross-namespace references to Flux sources should be subject to
|
||||||
Access Control Lists (ACLs) as defined by the owner of a particular source.
|
Access Control Lists (ACLs) as defined by the owner of a particular source.
|
||||||
|
|
||||||
|
Similar to [Kubernetes Network Policies](https://kubernetes.io/docs/concepts/services-networking/network-policies/),
|
||||||
|
Flux ACLs define policies for restricting the access to the source artifact server based on the
|
||||||
|
caller's namespace.
|
||||||
|
|
||||||
## Motivation
|
## Motivation
|
||||||
|
|
||||||
As of v0.23.0, Flux allows for `Kustomizations` and `HelmReleases` to reference sources in different namespaces.
|
This proposal tries to solve the "cross-namespace references side-step namespace isolation" issue (explained in
|
||||||
|
[RFC-0001](https://github.com/fluxcd/flux2/tree/main/rfcs/0001-authorization#cross-namespace-references-side-step-namespace-isolation)).
|
||||||
|
|
||||||
|
As of [version 0.25](https://github.com/fluxcd/flux2/releases/tag/v0.25.0) (Ian 2022),
|
||||||
|
Flux allows for `Kustomizations` and `HelmReleases` to reference sources in different namespaces.
|
||||||
This poses a serious security risk for multi-tenant environments as Flux does not prevent tenants from accessing
|
This poses a serious security risk for multi-tenant environments as Flux does not prevent tenants from accessing
|
||||||
known sources outside of their namespaces.
|
known sources outside of their namespaces.
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue