-
Notifications
You must be signed in to change notification settings - Fork 62
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: add proposal watching multiple namespace for KafkaTopic/KafkaUser/KafkaConnector resources #137
base: main
Are you sure you want to change the base?
feat: add proposal watching multiple namespace for KafkaTopic/KafkaUser/KafkaConnector resources #137
Conversation
Signed-off-by: lenglet-k <[email protected]>
fd75f18
to
9e1bb3f
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the proposal. Some general comments:
- I think this should be split into several proposals - each for the different resource. Among other things, there is a very different demand for it with different resources (and I can imagine for example it not being approved for the connector resource)
- Each custom resource is very expensive to maintain. So I think you should avoid adding new resources. If you insist on it, you should provide technical details how they would be handled in the code. You also have to explain how to deal with the conflicts of the old and new resources.
- The design of the Connector operator makes the implementation IMHO especially tricky. So you should provide the details of how would it work.
- At least for Connectors and Users, there is a huge security hole (which is also why it is important that you don't talk about multitenancy because it is ot, it is just naming mechanism).
- Connect does not provide any real sandboxing, protection of credentials etc. So by deploying the connectors, you can easily steal the credentials and data. The real "multitenant" way to deploy Connectors is to have your own Connect and Connectors in its own namespace.
- Users control the ACLs. So any user can grant itself access to any data in the Kafka cluster. Or can break any data in the Kafka cluster by producing poisoned or falsified messages.
- The problem is not just that this is a security hole that you might have to accept. But also that this is a non-obvious and might mislead users. I think this is a major blocker.
- Most users do not want to grant Strimzi the rights to watch the whole cluster and to have access to all Secrets etc. So you should probably spent more effort on explaining how the configuration would work, what would need to be provided to the operator, what might not need to be provided (is optional) etc. So explain the configurations, deployment modes, RBAC rights etc. in more detail.
- The rejected alternative describes how to deal with naming conflicts. I do not understand why did you rejected it. While it might add complexity, it is also something without which it does not work reliably and cannot be supported.
088-watching-multiple-namespaces.md
Outdated
|
||
## Motivation | ||
|
||
In a multi-tenant Kubernetes cluster, it'as a common practice to define authorization at namespace level or to deploy many application in different namespace. In the case where `Kafka` (Generaly it's case) it's mutualized for many applications and/or for many customers, it's more flexible and secure for deployed each applications in a dedicated namespace. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Kubernetes is not multi-tenant. At least when it comes to operators. Kafka is also not multitenant. So you should not suggest here that it is. You have to make it clear from the beginning that this is not a multitenancy feature, but only a naming construct.
|
||
Create a new `CustomResourceDefinition` to handle topics that are created in namespaces, called `KafkaNamespaceTopic`. This CRD will allow the user to create a topic that will be automatically namespaced within Kafka by the Topic Operator. It will encode the actual topic name using the Kubernetes namespace the resource resides, and either the `metadata.name` or `spec.topicName` (if defined) of the instance of a `KafkaNamespaceTopic`. | ||
|
||
`{Kubernetes namespace name}.{metadata.name|spec.topicName}` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
One more thought ... While for users, prefixing or suffixing makes sense, for Topics, it is way more controversial. Because it means that once you have the topic created in namespace A and have some data in it, you cannot move it to another namespace (if you just create the same topic in another namespace it would get a new name and be empty). Moreover, the Topic Operator already uses the .spec.topicName
field and is able to handle conflicts. So the question is whether the prefixing or suffixing here makes really sense and is desired.
|
||
> NOTE: Kubernetes namespaces and `metadata.names` cannot use the character `.` | ||
|
||
The `KafkaNamespaceTopic` will include all configuration that is available in a `KafkaTopic` and the `strimzi.io/cluster` labels for apply this topic to an existing `Kafka` cluster. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we really need a new CRD copying the content we already have in KafkaTopic
. Isn't really a different way of specifying the same maybe using an annotation? Or maybe I haven't got why we need a CRD and an actual example would be beneficial to the proposal.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
After thinking about it and reading your feedback, I don't think that adding new CRDs is the right solution. It won't add much more than a specific annotation, as I said in the rejected alternative.
Hello @scholzj, thanks for your answer:
|
the problem is that there is no place to put the warning in. And if you want manage your own connectors, it has an easy solution - run your own Connect.
The KafkaUser contains the ACLs. So once you can use KafkaUSer, you can grant yourself ACLs for anything. |
Today there's no such warning, but there's nothing to stop us using a single KafkaConnect cluster with connectors using different KafkaUsers. This is a possible use. The real solution is to deploy one KafkaConnect per client.
This is already the case today, and the way to remedy it would be to have one Kafka cluster per KafkaUser, which is not a solution. |
It is pretty complicated to have a Kafka user per connector. And your proposal does not make it easier in any way (in fact the different namespace of the Connector and Connect resources will make it only harder). Anyway, the main use-case of having a Kafka user per connector would be monitoring or quotas and not security. But the main concern here would be IMHO leaking credentials to the other systems (e.g. databases, storage, etc.).
I do not really follow how you do things from how you describe it. But please keep in mind that one of the things the proposal needs to ensure is usability and added value for everyone. And not just you. I think the general use case for multi-namespace TO and UO (and possibly the Connector operator) is a shared cluster with shared responsibilities. The teams using the different namespaces (e.g. to deploy different services using the same cluster) would get their freedom in deploying their applications. But the way the KafkaUser resources are designed would mean that each of these teams can grant themselves access to anything in the Kafka cluster. That might be acceptable for some users but might also be a huge risk and a blocker for others. If you have centrally managed Kafka cluster, you typically don't mind the users and topics in a single namespace. You can very easily build for example a GitOps setup to have your users open PRs to create the topics/users and your central team can review it and merge it. The review process gives you the control over what is being done and allows you to enforce whatever policies you want to follow. And GitOps then just applies the resources into the right namespace to create the topics and users. If you have a central team managing he Kafka cluster, I'm not sure I understand why the multi-namespace stuff really matters. |
Today we have a single KafkaConnect cluster, and for each of our customers, we have dedicated connectors with dedicated KafkaUsers who have limited ACLs on their resources. The cluster is closed and secured by filtering rules. I agree, but this doesn't prevent the security concerns we've already mentioned.
I'm well aware of this, which is why I'm discussing it with you :) . And I'm not the only one who needs it, since it's already been identified in various issues.
These are not teams, but client applications, which a single team at our company deploys through a Helm chart per client and ArgoCD. Today, since all resources (KafkaTopics / KafkaUsers / KafkaConnector) must be deployed in a single namespace, we deploy our 200 customers in the same namespace. I'm sure you'll agree that from a management and security point of view this isn't the best solution either, but in the end it's our problem. So in our case, and for the security of the client applications we deploy, we obviously pay close attention to the ACLS of the KafkaUsers, which is why we've developed a Helm chart to define the Acls for each of our client applications.
Multi-namespace is important because it allows us to secure deployed client applications more easily, via network policies per client namespace instead of having network policies per client application in a single namespace. From a management point of view, it's also easier (quota/limit) on Kubernetes namespaces, 200 namespaces but not 200 applications in a single namespace. Even if we were to adapt our gitOps flow, we'd have to create our KafkaUser in the namespace where the KafkaUser cluster is deployed, then wait for the secrets to be created, retrieve their values and copy them into the right namespaces for our clients and configure the associated applications. After that, we need to monitor the modification/deletion of secrets and repeat the previous operation. In my opinion, it's the role of an operator to enable these functionalities, by allowing in our case to configure the KafkaUser resource in the correct Kafka cluster without needing to copy the secrets etc, It doesn't matter which namespace or KafkaUser resource was created, same things for kafkaTopic. |
I think you use the terms such as user, client, customer etc. in your own terms without really explaining them, so it is a bit hard to follow what they mean. If you have one team and already use GitOps, then I think the solution I suggested for you fits much better to the general usage patterns. What you describe here, is not what most users talk about when they talk about multi-namespace UO and TO. I agree that in your case if you have a single team that manages many applications in a single namespace the security is not the main concern. But for most other users it most certainly would.
You can quite easily use various tools to synchronize the Secrets across namespaces. You can also try the Strimzi Access Operator that was created for this purpose. So I think there are many different ways how you can have your applications deployed across namespaces with lot less effort. I'm also not convinced it really solves the general issues because I think most people want more or less faked multi-tenancy for independent teams. The Connectors also don't really match this explanation as the connectors are ultimately running in the single namespace of the Connect cluster. So no quotas or network policies really matter for them. They will always be the 200 applications not just in a single namespace but even in a single deployment. So I think even if I assumed the premise of one team managing everything, the connectors do not seem to fit in. |
Sorry if I'm not clear. But my need is exactly the same as specified here: #6301: declare KafkaTopic in other namespaces than the one where the topic-operator is deployed FYI: client/customer are the same thing, these are dedicated applications (per client/customer) which use the Kafka Cluster. They need KafkaTopics/KAfkaUser and KafkaConnectors to function, themselves dedicated per client. |
Is your need really exactly the same? I think there are at least two use cases:
In the first use case, the security concerns likely don't matter much. But for the second one where you want different teams to manage their own stuff, the security issues matter much more. And from my experience and discussions with our users, the second one is what most of them want. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As can be seen from the issues raised against the current functionality, it's something customers are keen to see implemented, so it's great you're looking into a solution.
I reviewed down to the specification of the CRDs, as a new approach is being considered, and left a few minor suggestions around wording.
Co-authored-by: PaulRMellor <[email protected]> Signed-off-by: lenglet-k <[email protected]>
Co-authored-by: PaulRMellor <[email protected]> Signed-off-by: lenglet-k <[email protected]>
Co-authored-by: PaulRMellor <[email protected]> Signed-off-by: lenglet-k <[email protected]>
Co-authored-by: PaulRMellor <[email protected]> Signed-off-by: lenglet-k <[email protected]>
Co-authored-by: PaulRMellor <[email protected]> Signed-off-by: lenglet-k <[email protected]>
Co-authored-by: PaulRMellor <[email protected]> Signed-off-by: lenglet-k <[email protected]>
Co-authored-by: PaulRMellor <[email protected]> Signed-off-by: lenglet-k <[email protected]>
Co-authored-by: PaulRMellor <[email protected]> Signed-off-by: lenglet-k <[email protected]>
OK, thanks for your feedback. What do you think should happen next? As I don't have all your knowledge on this subject, it's hard for me to know what direction to take. |
I'm afraid I do not know what is the right direction. I'm not even sure if this is something Strimzi can address on its level. Sometimes, when some issues are open for years the reason is that there is no easy way to solve them and not just that nobody had time to solve them. |
Hi @lenglet-k Thanks for the proposal, I've read through the proposal and all the comments. For Connect at least I'm struggling to see the benefit of being able to deploy connectors in different namespaces from the Connect cluster. If different teams are managing different connectors then having a separate Connect cluster per team prevents connector name clashes and gives the added benefit of allowing you to lock down each Connect cluster to only have the permissions needed for that team. I think if you do want to make progress with this proposal it would make sense to separate out user, topic and connector as separate proposals. That would allow more focused discussion and make it easier for community members to review and comment on their area of expertise/interest. However, I would question whether the connector one is really needed by many people in the community. |
Hello,
Here's a proposal linked to the problem of creating resources in multiple namespaces. This concerns connectors (KafkaConnector), topics (KafkaTopic) and users (KafkaUsers).
The aim is to identify a solution enabling Strimzi to manage these resources created in different namespaces and thus extend the functionality of the Kafka Strimzi operator.
Linked Issue: