Limiting user access at a namespace level


#1

I want to limit users’ access so they can only see or manipulate resources in a namespace that they have access to. Essentially, I want team members to have insight into the pipelines that are relevant to them but not see any for other products. The only way I was able to do this was by creating an account per application per cluster (hal config provider k8s account add appA-<env> --namespaces appA) and then use requiredGroupMembership to limit these users.

Is there a better way to do this, and are there any performance related concerns with adding hundreds of kubernetes accounts within Spinnaker?


#2

Is this using the V1 or V2 Kubernetes provider? I think the V2 provider does not (yet) scale as well to large (100+) number of accounts because of its reliance on kubectl.

@ttomsu what are your thoughts on making namespace a protected resource in fiat?


#3

We are using the V1 provider. V1 will utilize less resources than V2 in this situation?


#4

V1 will utilize less resources than V2 in this situation?

Yes – the client library does a lot less work (at the expense of some functionality) than kubectl.