[Question] Why not merge SelectorSyncSet and SyncSet into one CRD?
#601
Comments
|
This was our original plan but I believe the determining factor was namespaced vs global. We use namespaces as a small layer of isolation for clusters as those namespaces contain account credentials and certificates. In the case of SyncSet we're tying to specific clusters and thus it made sense to have them be a namespaced CRD. At the time of writing they could contain secrets (we since have a way to break those out), but in general for per cluster content we felt it was best to isolate those into the namespace with the cluster(s) they relate to. SelectorSyncSet on the other hand we wanted to be a global resource as they typically span many or all clusters in all namespaces. We could do that with some kind of implicit rule like they live in the Hive namespace, but at the time we discussed it felt best to separate them given the differences in their scope. |
|
No, that's correct. We wanted SyncSets to be a namespaced resource because it's associated with a cluster deployment in a specific namespace. SelectorSyncSets can apply to cluster deployments across many namespaces therefore they are a cluster-scoped CRD |
|
It could but it would expose more information globally than we wanted to. SyncSets transfer per cluster certificates, identity providers, lists of dedicated admin usernames, etc. Pushing this up to a global SelectorSyncSet CRD complicates RBAC and potentially exposes us to reveal more information to someone than we wanted to. The distinction between the two offers better flexibility for RBAC in a multi-tenant use of Hive, and possibly better security as well. |
|
@dgoodwin this make sense, thanks! |
SyncSetcan use cluster name whileSelectorSyncSetcan use cluster labels, why not merge those two CRD into one?The text was updated successfully, but these errors were encountered: