Skip to content

[RFC-0010] Add multi-tenancy lockdown for decryption and kubeconfig#1495

Merged
matheuscscp merged 1 commit intofluxcd:mainfrom
cappyzawa:rfc-0010-multi-tenancy-lockdown
Aug 17, 2025
Merged

[RFC-0010] Add multi-tenancy lockdown for decryption and kubeconfig#1495
matheuscscp merged 1 commit intofluxcd:mainfrom
cappyzawa:rfc-0010-multi-tenancy-lockdown

Conversation

@cappyzawa
Copy link
Copy Markdown
Member

@cappyzawa cappyzawa commented Aug 16, 2025

matheuscscp
matheuscscp reviewed Aug 16, 2025
View reviewed changes
Copy link
Copy Markdown
Member

@matheuscscp matheuscscp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👌

Comment thread go.mod Outdated
Comment thread internal/controller/kustomization_configuration_error_test.go Outdated
Comment thread internal/decryptor/decryptor.go Outdated
@matheuscscp
Copy link
Copy Markdown
Member

matheuscscp commented Aug 16, 2025

Please bump also fluxcd/pkg/runtime 🙏

@matheuscscp matheuscscp mentioned this pull request Aug 16, 2025
Closed
71 tasks
@cappyzawa cappyzawa force-pushed the rfc-0010-multi-tenancy-lockdown branch 2 times, most recently from 32ee08f to 4ab943a Compare August 17, 2025 07:09
matheuscscp
matheuscscp approved these changes Aug 17, 2025
View reviewed changes
Copy link
Copy Markdown
Member

@matheuscscp matheuscscp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! 🚀

One last nit

Comment thread internal/controller/kustomization_configuration_error_test.go Outdated
@cappyzawa cappyzawa force-pushed the rfc-0010-multi-tenancy-lockdown branch from 4ab943a to bddf652 Compare August 17, 2025 08:06
@cappyzawa
[RFC-0010] Add multi-tenancy lockdown for decryption and kubeconfig
c5f0efd 
Adds two new controller flags to enforce ServiceAccount usage in
multi-tenant clusters where administrators need to lock down workload
identity access:

- --default-decryption-service-account
- --default-kubeconfig-service-account

These flags complement the existing --default-service-account flag to
provide complete multi-tenancy lockdown coverage for all three classes
of ServiceAccount fields in the Kustomization API.

Signed-off-by: cappyzawa <cappyzawa@gmail.com>
@cappyzawa cappyzawa force-pushed the rfc-0010-multi-tenancy-lockdown branch from bddf652 to c5f0efd Compare August 17, 2025 08:11
@matheuscscp matheuscscp merged commit e7aaaf2 into fluxcd:main Aug 17, 2025
5 checks passed
@matheuscscp matheuscscp mentioned this pull request Aug 17, 2025
Closed
@cappyzawa cappyzawa mentioned this pull request Aug 17, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@matheuscscp matheuscscp matheuscscp approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@cappyzawa @matheuscscp