Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cross namespace configmap mapping #2183

Open
rahtr opened this issue Oct 3, 2024 · 0 comments
Open

Cross namespace configmap mapping #2183

rahtr opened this issue Oct 3, 2024 · 0 comments
Labels
area/carm Issues or PRs related to CARM (Cross Account Resource Management) area/runtime Issues or PRs as related to controller runtime, common reconciliation logic, etc kind/feature Categorizes issue or PR as related to a new feature.

Comments

@rahtr
Copy link

rahtr commented Oct 3, 2024

Is your feature request related to a problem?
Currently, to set up CARM, a ConfigMap must be created in the namespace where the controller is deployed. This approach works well in a single-tenancy model, but in a multi-tenancy model, it compromises modularity. For instance, if you have hundreds of teams, each with their own individual AWS account, you would end up managing a single ConfigMap in the controller's namespace. This not only complicates management but also increases the risk of errors. If an issue arises with the ConfigMap, all tenants are affected.

cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: ConfigMap
metadata:
  name: ack-role-account-map
  namespace: $ACK_SYSTEM_NAMESPACE
data:
  "<TEAM_AWS_ACCOUNT_ID>": arn:aws:iam::<TEAM_AWS_ACCOUNT_ID>:role/<TEAM_AWS_ACCOUNT_ROLE_NAME>
EOFF

Describe the solution you'd like
I do understand that k8s doesn't support cross referencing natively and as the shared informers are scoped per namespace for the namespace scoped objects, hence it would be difficult to implement it. We may need to explore alternative approaches to achieve this. For example, ESO ((https://external-secrets.io/v0.4.1/provider-aws-secrets-manager/) follows a per resource implementation. We could potentially follow a similar approach and retrieve the role from the namespace objects themselves.

Describe alternatives you've considered
None
@rahtr rahtr changed the title Allowing Cross namespace configmap mapping Oct 3, 2024
@a-hilaly a-hilaly added area/runtime Issues or PRs as related to controller runtime, common reconciliation logic, etc kind/feature Categorizes issue or PR as related to a new feature. area/carm Issues or PRs related to CARM (Cross Account Resource Management) labels Oct 8, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/carm Issues or PRs related to CARM (Cross Account Resource Management) area/runtime Issues or PRs as related to controller runtime, common reconciliation logic, etc kind/feature Categorizes issue or PR as related to a new feature.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@a-hilaly @rahtr