github/capsule
1
0
Fork 0
mirror of https://github.com/projectcapsule/capsule.git synced 2026-05-14 05:16:34 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
08fbd26ec879ae6520b734c2e6d31ef6d01368ce
capsule/docs/operator/use-cases/node-ports.md
Dario Tranchitella 52a73e011c docs: block of NodePort services using Tenant annotation
2021-05-29 00:31:17 +02:00

1.0 KiB
Raw Blame History

Disabling NodePort Services per Tenant

When dealing with a shared multi-tenant scenario, NodePort services can start becoming cumbersome to manage.

Reason behind this could be related to the overlapping needs by the Tenant owners, since a NodePort is going to be open on all nodes and, when using hostNetwork=true, accessible to any Pod although any specific NetworkPolicy.

Actually, Capsule doesn't block by default the creation of NodePort services.

Although this behavior is not yet manageable using a CRD key, if you need to prevent a Tenant from creating NodePort Services, the annotation capsule.clastix.io/enable-node-ports can be used as follows.

apiVersion: capsule.clastix.io/v1alpha1
kind: Tenant
metadata:
  name: oil
  annotations:
    capsule.clastix.io/enable-node-ports: "false"
spec:
  owner:
    kind: User
    name: alice

With the said configuration, any Namespace owned by the Tenant will not be able to get a Service of type NodePort since the creation will be denied by the validation webhook.

Reference in New Issue View Git Blame Copy Permalink